On 17 March 2010 03:58, Tom Mac <[email protected]> wrote: > Means we can exempt some fields from sanitization. So isn't > that sufficient? Any other thoughts?
So instead of messing with *all* of the user-supplied input, you only mess with *some* of it? That won't end up in confusion for the developers trying to re-render the DB content to PDF, etc.; when some of the data renders fine, and some has to be "decoded" back to plain text (but doesn't go back to *exactly* what the user typed)... I didn't think I was ambiguous: fiddling with users' data before you store it is going to end up in confusion and pain somewhere [1]. It's perfectly easy to assume that all DB content is taited, and treat it appropriately for whatever purpose you want to put it. My 2p... YMMV :-) [1] Of course, you need to "fiddle" with it to prevent SQL injection - but the end result should be that the content in the DB is exactly what the user typed even if they typed "Robert'); DROP TABLE students;--" http://xkcd.com/327/ -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
