[nycphp-talk] User Input Data scrubbing
Chris Shiflett
shiflett at php.net
Fri Nov 28 20:00:45 EST 2008
On Nov 28, 2008, at 16:59, Michele Waldman wrote:
> What about inserting a comment
>
> <script>alert(‘hi’);</script>’; delete from users;
>
> Like I’m going to name my table users?
>
> With that one statement about they have performed a sql injection
> and html injection in one stroke.
>
> Bada bing bada bang bada boom
>
> Next time I display their comment out of the database they are
> popping up an alert to every user and my users are gone.
>
> Michele
Two words: escape output
--
Chris Shiflett
http://shiflett.org/
More information about the talk
mailing list