RE: basic user/input form questions... more validation!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hey chris...

thanks!!

but what do you mean by "...escape output!!"

is that output of the query, which is input to the db?

as i understand it, you escape the query vars, after filtering/validation,
that you're going to touch the db with... (insert/update/select)

am i on your same wavelength??

-bruce


-----Original Message-----
From: Chris Shiflett [mailto:shiflett@xxxxxxx]
Sent: Thursday, September 22, 2005 7:15 PM
To: bedouglas@xxxxxxxxxxxxx
Cc: 'Chris W. Parker'; php-general@xxxxxxxxxxxxx
Subject: Re:  basic user/input form questions... more validation!


bruce wrote:
> not sure i agree with this one.. if i put "foo \' cat" in a db tbl...
> i expect that i'll get the same out... which is what some of the
> articles i've seen have stated.. are you telling me, and are you sure,
> that i'd get "foo ' cat" out instead!!????
>
> the articles i've seen imply that if you addslashes, you also need to
> stripslashes on the backend...

You're reading the wrong articles. :-)

Escaping is something you do to preserve data, period. If you have data
that is going to enter a context where it can be considered anything
other than data, it needs to be escaped. I often simplify this by
suggesting that you always escape output.

I did a podcast about this topic a few weeks ago:

http://pro-php.com/index.php?post_id=10

I also wrote a small followup blog entry:

http://shiflett.org/archive/133

Hope that helps.

Chris

--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux