The big problem really is accepting input and displaying it without encoding
or stripping the html. If you want to accept html, you need to strip out all
javascript, intrinsic events, and even scripts hidden in styles. For the
most part Cake will construct the SQL queries in a protected manner. You
will also want to scan for Base64 encoded data as people are hiding their
scripts in there too.
Erik Nedwidek
Project Manager
Lighthouse I.T. Consulting, Inc.
On Tue, Nov 17, 2009 at 10:57 PM, Dr. Loboto drlob...@gmail.com wrote:
When data is saved to DB Cake properly escape it so no problem with
SQL Injection and no need to sanitize before.
When data is displayed using of h() function will secure it enough.
With such approach you face problems only when allow users post HTML
(for example, with WYSIWYG editor). In this case nor h() nor Sanitize
can save you as both of them cannot be used in such case.
On Nov 18, 4:07 am, Dave make.cake.b...@gmail.com wrote:
I have asked a few questions about data sanitization and got different
responses.
Some people say just don't sanitize and use echo h() other say always
sanitize.
Books say never trust what the user enters so always clean data before
saving.
I know every app has different requirements but as a general rule what do
you do?
Just looking for feedback as to different methods for each baker.
Thanks
Dave
--
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-...@googlegroups.com.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.com
.
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=.
--
You received this message because you are subscribed to the Google Groups
CakePHP group.
To post to this group, send email to cake-...@googlegroups.com.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=.