On 7/16/07, Chris Hartjes <[EMAIL PROTECTED]> wrote: > The big issues are usually to deal with input from users that contains > malicious code (like javascript or attempts to manipulate database > queries by packing things onto the end of a URL) so you need to be > aware of the proper techniques for filtering input you get via forms > and via the URL. If I understand correctly, anything to do with > parameters passed around using the various model methods (i.e. > findAll) are correctly filtered. I'd have to actually check the form > input handlers to tell you with 100% certainty that data from form > input is being automatically escaped, but knowing Larry and the other > core developers like I do I'd say it's very likely that it is being > done.
I see. And I put a complete confidence that it had been done :) > By escaping output, I mean that you should NEVER simply echo back > input that you've gotten from a user. You should run it through > things like htmlentities() and striptags() and other similar tools, > with the goal being removing anything other than just the information > you want them to enter. Ah... I understand what you mean now. I heard once that it can cause cross side scripting. Got it Chris, thanks for the explanation ! > > Go to Chris Shifflet's web site http://shiflett.org/ for some of the > best info out there on PHP security tips and techniques. Looking at it now. Thanks again for the reference ;) > > -- > Chris Hartjes > Senior Developer > Cake Development Corporation > > My motto for 2007: "Just build it, damnit!" Best Regards, Feris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
