Re: [nyphp-talk] Injection Attack, any ideas?

Daniel Convissor Fri, 16 Nov 2007 21:44:07 -0800

Hi Rob:

On Mon, Nov 12, 2007 at 04:26:54PM -0500, Rob Marscher wrote:
> 
> But it's expensive to escape it every time someone views the page.   
> Therefore, it's recommended to filter it on input but store the  
> filtered version


This approach is flawed because disgruntled people who have server side 
access to the database can insert HTML.  Escaping HTML upon page 
generation is the safest way to go.

--Dan

-- 
 T H E   A N A L Y S I S   A N D   S O L U T I O N S   C O M P A N Y
            data intensive web and database programming
                http://www.AnalysisAndSolutions.com/
 4015 7th Ave #4, Brooklyn NY 11232  v: 718-854-0335 f: 718-854-0409
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

Re: [nyphp-talk] Injection Attack, any ideas?

Reply via email to