security bug in PHP-server-1.1
Norman Rasmussen
norman at rasmussen.co.za
Wed Apr 11 04:21:40 PDT 2007
On 4/11/07, Jonathan Daugherty <cygnus at janrain.com> wrote:
> # why? templates are for output, not for processing... AND as soon as
> # you get the data in your system you should clean it.
>
> Yes, that's true. But you clean it so output is safe, and so that
> passing it through services (i.e., a database) is safe. There's no
> point in cleaning the data until you use it in a dangerous context;
Agreed! You never know when someone might find a way to inject unsafe
data into your database. It's much safer to escape it as you output
it. (Also you might output it in different places, requiring
different escaping)
--
- Norman Rasmussen
- Email: norman at rasmussen.co.za
- Home page: http://norman.rasmussen.co.za/
More information about the Dev
mailing list