Filter Input, Escape Output #13
Comments
|
I am looking at this issue, and I assume this is here: to filter the inputs, I would use filter_var() and strip_tags for escaping the output. Does that seem on par with what you were looking for, @auroraeosrose ? |
|
yes to filter_var for validating the input (filter is such an overloaded term) - NO to strip_tags - you want htmlentiries/htmlspecialchars for escaping output - we don't want to try to sanitize, just escape :) |
|
thank you so much! |
|
No problem, Ask if you have more questions! |
|
Adding a +1 for this. I was going to raise it myself with my other reports, so thanks OP for raising it. I've had it recommended to me that |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Security is a mindset, not an after the fact addition
The db stuff does a good job of mentioning using bound params to deal with sql injection but there is nothing about the other end of security - FIEO
From the first moment POST and GET are mentioned and used the idea of filtering input (validating you got what you expected) and escaping output (a wrapper with htmlspecialchars would suffice for beginners) should be introduced
Just the basics are needed, nothing fancy - an output escaper function/method to use when echoing stuff out and the use of filter_var to make sure data is right from a POST is plenty good for a beginner level, but introducing the idea of "the user is a jerk and will try to break stuff" is good for beginning dev minds ;)
The text was updated successfully, but these errors were encountered: