Dotan Cohen schreef:
On 23/01/2008, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:
you don't understand what I mean.
input filtering is a seperate task to output filtering.
you filter and validate all input to the script regardless of
how you are going to use it. THEN you escape the filtered, validated data
for each output (output to mysql, output to browser, etc)
Exactly. However, before going to the database, things get a healthy
dose of filtering specific to that medium. I don't need no Little
Bobby Tables slipping through. Likewise for data being output to HTML:
nobody would appreciate getting XSSed on my sites.
2 distinct concepts, which shouldn't be rolled into single functions. imho.
They aren't what you saw are two separate functions. Here they are again:
I can read, I saw 2 functions the first time. each function cleans *and* escapes.
cleaning is filtering of input.
escaping is preparing for output.
2 concepts.
if the input needs to be stripped of html then it needs that regardless
of the output vector. again removing or not-accepting input if it contains
'--' is a question of filtering/validation ... besides which '--' is quite
acceptable for data stored in a text field but not for a numeric one.
filter each piece of data
validate each piece of data
escape each peice of data for each context in which it will be output.
imho your functions are conceptually wrong and not very robust either -
don't take it as a personal attack - I'm very sure if we sat down with *some*
of my code the same critism could be made to more or lesser extent :-) ...
"getting better all the time" as they sang once ;-)
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
function clean_mysql ($dirty) {
$dirty=str_replace ("--", "", $dirty);
$dirty=str_replace (";", "", $dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php