NYCPHP Meetup

NYPHP.org

[nycphp-talk] Injection Attack, any ideas?

David Krings ramons at gmx.net
Sat Nov 17 07:58:13 EST 2007


Daniel Convissor wrote:
> Hi Rob:
> 
> On Mon, Nov 12, 2007 at 04:26:54PM -0500, Rob Marscher wrote:
>> But it's expensive to escape it every time someone views the page.   
>> Therefore, it's recommended to filter it on input but store the  
>> filtered version
> 
> This approach is flawed because disgruntled people who have server side 
> access to the database can insert HTML.  Escaping HTML upon page 
> generation is the safest way to go.
> 
> --Dan

Exactly! All input is evil, even when it comes from your database and your 
script. There is no good reason not to check input each and every time, there 
are only bad excuses for not doing it.

David



More information about the talk mailing list