On Tue, August 7, 2007 9:55 pm, Daniel Brown wrote: > On 8/7/07, Richard Lynch <ceo@xxxxxxxxx> wrote: >> On Tue, August 7, 2007 5:08 pm, Daniel Brown wrote: >> > It's actually not so much for echo'ing as it is for processing >> the >> > data in another manner that makes it dangerous not to do some >> > sanitizing and checking.... such as database manipulation. >> >> This is wrong. >> >> Google for "cross site scripting attack" to get some sense of just >> how >> wrong this is. :-) > > Under normal circumstances, Rich, you're exactly right. I know > exactly what XSS is, thanks. However, in the context of this > scenario, my point was valid. Actually, I have to respectfully disagree with you. :-) Consider all of the following: The code you write today, will end up getting used/copied/pasted/abused somewhere else tomorrow. Defense in depth is good. Somebody might manage to break in and use the "admin" functionality. How much damage they can cause is directly related to what input you let slip by. Your admin user may have no clue what XSS is, and could copy/paste who knows what into a form you create. Bad habits are hard to break. Newbies should be encouraged toward Good Habits. Conclusion: Disallowing input you do not expect (filter input) and formatting output correctly for its medium (escape output) is relatively inexpensive and will more than pay for itself in maintenance costs in the long run, even if you think it's "safe" to bypass this basic coding practice for some specific reason at the moment. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
