On 23/01/2008, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:> you don't understand what I mean.>> input filtering is a seperate task to output filtering.> you filter and validate all input to the script regardless of> how you are going to use it. THEN you escape the filtered, validated data> for each output (output to mysql, output to browser, etc)
Exactly. However, before going to the database, things get a healthydose of filtering specific to that medium. I don't need no LittleBobby Tables slipping through. Likewise for data being output to HTML:nobody would appreciate getting XSSed on my sites.
> 2 distinct concepts, which shouldn't be rolled into single functions. imho.
They aren't what you saw are two separate functions. Here they are again:
function clean_html ($dirty) { $dirty=strip_tags($dirty); $clean=htmlentities($dirty); return $clean;}
function clean_mysql ($dirty) { $dirty=str_replace ("--", "", $dirty); $dirty=str_replace (";", "", $dirty); $clean=mysql_real_escape_string($dirty); return $clean;}
Dotan Cohen
http://what-is-what.comhttp://gibberish.co.ilא-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת;
A: Because it messes up the order in which people normally read text.Q: Why is top-posting such a bad thing?
