[nycphp-talk] User Input Data scrubbing

Chris Shiflett shiflett at
Fri Nov 28 20:00:45 EST 2008

On Nov 28, 2008, at 16:59, Michele Waldman wrote:

> What about inserting a comment
> <script>alert(‘hi’);</script>’; delete from users;
> Like I’m going to name my table users?
> With that one statement about they have performed a sql injection  
> and html injection in one stroke.
> Bada bing bada bang bada boom
> Next time I display their comment out of the database they are  
> popping up an alert to every user and my users are gone.
> Michele

Two words: escape output

Chris Shiflett

More information about the talk mailing list