--- Pablo Gosse <[EMAIL PROTECTED]> wrote:
> [snip] It might be best to not try and definitely declare what counts as
> foreign data, because it's a sort of "everything else" type of thing. If
> it doesn't originate within the PHP script itself, it is foreign.[/snip]
>
> What about data from a database which is retrieved within the PHP
> script? Would you consider this type of data to be internal (since it is
> being accessed within php) or external (since the database is external
> to php)?
It depends on how the data ended up there. :-)
If there are other systems accessing the database that might be able to
insert data, I would definitely consider this data foreign unless I was
the author of those other systems. If it is only my software that can
access the database, I would rely on my own habits of always validating
data prior to insertion.
For various reasons, some people might find that it makes more sense to
validate their data after they retrieve it from the database and only
worry about preventing SQL injection attacks when filtering data prior to
insertion. For these people, the data in the database is just as foreign
as when it entered the system through whatever other means.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
