Michael, Excellent points.
-- Jeremy Chase http://twitter.com/jeremychase On Wed, Mar 17, 2010 at 5:12 AM, Michael Pavling <[email protected]> wrote: > On 17 March 2010 03:58, Tom Mac <[email protected]> wrote: > > Means we can exempt some fields from sanitization. So isn't > > that sufficient? Any other thoughts? > > So instead of messing with *all* of the user-supplied input, you only > mess with *some* of it? That won't end up in confusion for the > developers trying to re-render the DB content to PDF, etc.; when some > of the data renders fine, and some has to be "decoded" back to plain > text (but doesn't go back to *exactly* what the user typed)... > > I didn't think I was ambiguous: fiddling with users' data before you > store it is going to end up in confusion and pain somewhere [1]. It's > perfectly easy to assume that all DB content is taited, and treat it > appropriately for whatever purpose you want to put it. > > My 2p... YMMV :-) > > > [1] Of course, you need to "fiddle" with it to prevent SQL injection - > but the end result should be that the content in the DB is exactly > what the user typed even if they typed "Robert'); DROP TABLE > students;--" > http://xkcd.com/327/ > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<rubyonrails-talk%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
