On 23/01/2008, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:> I can read, I saw 2 functions the first time. each function cleans *and* escapes.>> cleaning is filtering of input.> escaping is preparing for output.>> 2 concepts. I see your point. > if the input needs to be stripped of html then it needs that regardless> of the output vector. again removing or not-accepting input if it contains> '--' is a question of filtering/validation ... besides which '--' is quite> acceptable for data stored in a text field but not for a numeric one. I'm not accepting "--" at all until someone can show me a real worldcase where one would use it, without the intention of SQL injection.How can it be escaped, anyway? > filter each piece of data> validate each piece of data> escape each peice of data for each context in which it will be output. I see that you have more experience than I! > imho your functions are conceptually wrong and not very robust either -> don't take it as a personal attack - I'm very sure if we sat down with *some*> of my code the same critism could be made to more or lesser extent :-) ...> "getting better all the time" as they sang once ;-) I never thought that was a personal attack, not for a second. Rather,I very much appreciate the time you take to explain to me my errors.And I intend to learn from them. For the time being, I'll leave thecode as it is. However, for future projects, I will make a point ofseparating the different functions. Thanks. Dotan Cohen http://what-is-what.comhttp://gibberish.co.ilא-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת; A: Because it messes up the order in which people normally read text.Q: Why is top-posting such a bad thing?
