[nycphp-talk] User Input Data scrubbing
Elijah Insua
tmpvar at gmail.com
Sat Nov 29 00:12:08 EST 2008
Yeah, or these two words: "Filter Input"
Which ever route you take. you also need to do sql injection cleansing.
scrub, rinse, repeat.
On Fri, Nov 28, 2008 at 8:00 PM, Chris Shiflett <shiflett at php.net> wrote:
> On Nov 28, 2008, at 16:59, Michele Waldman wrote:
>
> What about inserting a comment
>>
>> <script>alert('hi');</script>'; delete from users;
>>
>> Like I'm going to name my table users?
>>
>> With that one statement about they have performed a sql injection and html
>> injection in one stroke.
>>
>> Bada bing bada bang bada boom
>>
>> Next time I display their comment out of the database they are popping up
>> an alert to every user and my users are gone.
>>
>> Michele
>>
>
> Two words: escape output
>
> --
> Chris Shiflett
> http://shiflett.org/
>
>
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20081129/4e48becd/attachment.html>
More information about the talk
mailing list