Hi Xinchen, On Wed, Jun 24, 2015 at 11:42 AM, Xinchen Hui <larue...@php.net> wrote:
> and for the "age" usage you replied in github, I think the author of > such codes should be aware, if it's only number, then instead of > htmlespcicalchars($age), he should use echo $age directly... which is > more faster. > To build secure apps, users MUST escape everything for the context by _default_. Selective escaping is the cause of injection vulnerability especially with language like PHP. Principle is "Don't think, escape all (for the context)". Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
