Re: To Sanitize or not? :: Public Opinion
you may sanitize somtimes, but you should always validate inputs (forms... urls http requests) -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
CakePHP already makes any user input save in save functions (with the exception of updateAll). My general rule of thumb, is not to filter user input on save, but on display. This way you can see which users are trying malicious code and take action accordingly. On Nov 23, 1:12 am, robustsolution i...@robustsolution.net wrote: you may sanitize somtimes, but you should always validate inputs (forms... urls http requests) -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
To Sanitize or not? :: Public Opinion
I have asked a few questions about data sanitization and got different responses. Some people say just don't sanitize and use echo h() other say always sanitize. Books say never trust what the user enters so always clean data before saving. I know every app has different requirements but as a general rule what do you do? Just looking for feedback as to different methods for each baker. Thanks Dave -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
On Tue, Nov 17, 2009 at 7:07 PM, Dave make.cake.b...@gmail.com wrote: I have asked a few questions about data sanitization and got different responses. Some people say just don't sanitize and use echo h() other say always sanitize. Books say never trust what the user enters so always clean data before saving. I think you said all. Never trust data from the user. I vote for always sanitize. You never know when you'll face a Bobby Tables user. http://xkcd.com/327/ Best regards. -- MARCELO DE F. ANDRADE Belem, PA, Amazonia, Brazil Linux User #221105 -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
If you filter and validate the data before saving it to the database, then theres no need for Sanitization... unless you allow them to use HTML. On Nov 17, 3:00 pm, Marcelo Andrade mfandr...@gmail.com wrote: On Tue, Nov 17, 2009 at 7:07 PM, Dave make.cake.b...@gmail.com wrote: I have asked a few questions about data sanitization and got different responses. Some people say just don't sanitize and use echo h() other say always sanitize. Books say never trust what the user enters so always clean data before saving. I think you said all. Never trust data from the user. I vote for always sanitize. You never know when you'll face a Bobby Tables user. http://xkcd.com/327/ Best regards. -- MARCELO DE F. ANDRADE Belem, PA, Amazonia, Brazil Linux User #221105 -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
When data is saved to DB Cake properly escape it so no problem with SQL Injection and no need to sanitize before. When data is displayed using of h() function will secure it enough. With such approach you face problems only when allow users post HTML (for example, with WYSIWYG editor). In this case nor h() nor Sanitize can save you as both of them cannot be used in such case. On Nov 18, 4:07 am, Dave make.cake.b...@gmail.com wrote: I have asked a few questions about data sanitization and got different responses. Some people say just don't sanitize and use echo h() other say always sanitize. Books say never trust what the user enters so always clean data before saving. I know every app has different requirements but as a general rule what do you do? Just looking for feedback as to different methods for each baker. Thanks Dave -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.
Re: To Sanitize or not? :: Public Opinion
The big problem really is accepting input and displaying it without encoding or stripping the html. If you want to accept html, you need to strip out all javascript, intrinsic events, and even scripts hidden in styles. For the most part Cake will construct the SQL queries in a protected manner. You will also want to scan for Base64 encoded data as people are hiding their scripts in there too. Erik Nedwidek Project Manager Lighthouse I.T. Consulting, Inc. On Tue, Nov 17, 2009 at 10:57 PM, Dr. Loboto drlob...@gmail.com wrote: When data is saved to DB Cake properly escape it so no problem with SQL Injection and no need to sanitize before. When data is displayed using of h() function will secure it enough. With such approach you face problems only when allow users post HTML (for example, with WYSIWYG editor). In this case nor h() nor Sanitize can save you as both of them cannot be used in such case. On Nov 18, 4:07 am, Dave make.cake.b...@gmail.com wrote: I have asked a few questions about data sanitization and got different responses. Some people say just don't sanitize and use echo h() other say always sanitize. Books say never trust what the user enters so always clean data before saving. I know every app has different requirements but as a general rule what do you do? Just looking for feedback as to different methods for each baker. Thanks Dave -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.comcake-php%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/cake-php?hl=. -- You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-...@googlegroups.com. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/cake-php?hl=.