Page 2 of 2 First 12
  • Jump to page:
    #16
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2013
    Posts
    39
    Rep Power
    2
    So i know it's crucial to sanitize the ouput i'm echoing back from the database but is it necessary to sanitize input maybe to avoid javascript from ever reaching the database. I ran into this during my research
    PHP Code:
    filter_input(INPUT_POST,'title','body' ,FILTER_SANITIZE_STRING
  2. #17
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1015
    No. This is a common misunderstanding: XSS is an output problem, not an input problem. Your users may enter any character they want. It's your job to make sure that the output is correct by escaping the values.

    Mangling the user input just because it has a special meaning in some contexts is a bad idea. If this forum worked like that, we couldn't write a single sentence. We wouldn't be allowed to use the words "from" or "and", because those are SQL keywords. We couldn't write down quotes, because those are used in HTML etc.

    Don't mess with the user input. Store the original, unaltered data and do the escaping when you output the data.

    Comments on this post

    • rhodoscoder agrees
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo