[nycphp-talk] User Input Data scrubbing
tmpvar at gmail.com
Sat Nov 29 00:12:08 EST 2008
Yeah, or these two words: "Filter Input"
Which ever route you take. you also need to do sql injection cleansing.
scrub, rinse, repeat.
On Fri, Nov 28, 2008 at 8:00 PM, Chris Shiflett <shiflett at php.net> wrote:
> On Nov 28, 2008, at 16:59, Michele Waldman wrote:
> What about inserting a comment
>> <script>alert('hi');</script>'; delete from users;
>> Like I'm going to name my table users?
>> With that one statement about they have performed a sql injection and html
>> injection in one stroke.
>> Bada bing bada bang bada boom
>> Next time I display their comment out of the database they are popping up
>> an alert to every user and my users are gone.
> Two words: escape output
> Chris Shiflett
> New York PHP User Group Community Talk Mailing List
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the talk