On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote: > you don't understand what I mean. > > input filtering is a seperate task to output filtering. > you filter and validate all input to the script regardless of > how you are going to use it. THEN you escape the filtered, validated data > for each output (output to mysql, output to browser, etc)
Exactly. However, before going to the database, things get a healthy dose of filtering specific to that medium. I don't need no Little Bobby Tables slipping through. Likewise for data being output to HTML: nobody would appreciate getting XSSed on my sites. > 2 distinct concepts, which shouldn't be rolled into single functions. imho. They aren't what you saw are two separate functions. Here they are again: function clean_html ($dirty) { $dirty=strip_tags($dirty); $clean=htmlentities($dirty); return $clean; } function clean_mysql ($dirty) { $dirty=str_replace ("--", "", $dirty); $dirty=str_replace (";", "", $dirty); $clean=mysql_real_escape_string($dirty); return $clean; } Dotan Cohen http://what-is-what.com http://gibberish.co.il א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?