NYCPHP Meetup

[nycphp-talk] User Input Data scrubbing

Chris Shiflett shiflett at php.net
Fri Nov 28 20:00:45 EST 2008


On Nov 28, 2008, at 16:59, Michele Waldman wrote:

> What about inserting a comment
>
> <script>alert(‘hi’);</script>’; delete from users;
>
> Like I’m going to name my table users?
>
> With that one statement about they have performed a sql injection  
> and html injection in one stroke.
>
> Bada bing bada bang bada boom
>
> Next time I display their comment out of the database they are  
> popping up an alert to every user and my users are gone.
>
> Michele

Two words: escape output

--
Chris Shiflett
http://shiflett.org/







More information about the talk mailing list