John Campbell wrote:
On a similar subject:
If your solution is to "validate input" or "input filtering", you are
going about things all wrong. Validating input is for the birds;
prepared sql and output escaping is the way to go. I don't give a
shit if my user's use names like "<a href='javascript:blahblah'>" ,
just like my web email client doesn't filter it from this post. I
default to escaping the html automatically when I send it to the view,
and all queries are prepared. It makes coding much easier, and I
don't have to worry about forgetting to call esc() once.
When coders hear "don't trust user input" it foolishly gets translated
to "validate the user's input" and that is one of the primary problems
with php coders today. I trust all user input and just escape it for
the db and display. I occasionally validate the input, but that is
just to make sure the user didn't make a typo.
That is what I still would call input validation. The validation is not
about the sense of the input, but about it being valid for processing by
the system. At leat you and I mean the same thing. When I say "all input
is evil" then I mean that you need to check it for being fit for queries
and display. So yes, if a user wants to be refered to by "<a
href='javascript:blahblah'>" then I'd not stop them from it.
David
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
