NYCPHP Meetup

[nycphp-talk] User Input Data scrubbing

Elijah Insua tmpvar at gmail.com
Sat Nov 29 00:12:08 EST 2008


Yeah, or these two words: "Filter Input"

Which ever route you take. you also need to do sql injection cleansing.

scrub, rinse, repeat.

On Fri, Nov 28, 2008 at 8:00 PM, Chris Shiflett <shiflett at php.net> wrote:

> On Nov 28, 2008, at 16:59, Michele Waldman wrote:
>
>  What about inserting a comment
>>
>> <script>alert('hi');</script>'; delete from users;
>>
>> Like I'm going to name my table users?
>>
>> With that one statement about they have performed a sql injection and html
>> injection in one stroke.
>>
>> Bada bing bada bang bada boom
>>
>> Next time I display their comment out of the database they are popping up
>> an alert to every user and my users are gone.
>>
>> Michele
>>
>
> Two words: escape output
>
> --
> Chris Shiflett
> http://shiflett.org/
>
>
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20081129/4e48becd/attachment.html>


More information about the talk mailing list