At 4:28 PM +0200 5/24/06, afan@xxxxxxxx wrote:
after these very helpfull comments, I rad (again) Shiflett's (and few
others) Security articles about filtering input and output. And more I
read - less is clear :(
and
At 6:07 PM +0200 5/24/06, afan@xxxxxxxx wrote:
Ok. Looks like I DID miss the point :)
I thought that with mysql_real_escape_string() HAVE TO add slash in front
of a quote and THAT's filtering.
No, that's NOT filtering input, as per Shiflett's book.
Filtering input is proving that the data coming is -- IS -- valid data!
Take for example the code he shows on page 11 of his book (Essential
PHP Security) where:
<?php
$clean = array();
switch($$_POST['color'])
{
case 'red':
case 'green':
case 'blue':
$clean['color'} = $_POST['color'];
break;
}
?>
If you inspect this code, you will see that the array $clean will
never have anything in it that's not 'red', 'green', or 'blue' --
that's filtering input as per Shiflett.
And, that makes prefect sense to me.
tedd
PS: I changed the subject line because it's a different subject. :-)
--
------------------------------------------------------------------------------------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
