On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> you don't understand what I mean.
>
> input filtering is a seperate task to output filtering.
> you filter and validate all input to the script regardless of
> how you are going to use it. THEN you escape the filtered, validated data
> for each output (output to mysql, output to browser, etc)
Exactly. However, before going to the database, things get a healthy
dose of filtering specific to that medium. I don't need no Little
Bobby Tables slipping through. Likewise for data being output to HTML:
nobody would appreciate getting XSSed on my sites.
> 2 distinct concepts, which shouldn't be rolled into single functions. imho.
They aren't what you saw are two separate functions. Here they are again:
function clean_html ($dirty) {
$dirty=strip_tags($dirty);
$clean=htmlentities($dirty);
return $clean;
}
function clean_mysql ($dirty) {
$dirty=str_replace ("--", "", $dirty);
$dirty=str_replace (";", "", $dirty);
$clean=mysql_real_escape_string($dirty);
return $clean;
}
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
