mailing list archives
Re: PHP filter function against SQL injections
From: Henry Troup <htroup () acm org>
Date: Mon, 12 Feb 2007 20:18:28 -0500
It's a serious mistake to assume that the php page will only ever see input from its own page. An attacker will not
convenience; but it can never be part of your security strategy.
Filtering input for security must be done on the server. On the server you must treat all input as "evil" until it is
proven innocent (passes the filter).
htroup () acm org
On Sat Feb 10 10:35 , Nic Stevens sent:
I would suggest, though, using data filtering on the form using
for example, only allow valid characters to be placed in the form field.
(I don't know the event handler syntax off hand but I know it can be done)
FW: PHP filter function against SQL injections kevin fielder (Feb 08)
Re: PHP filter function against SQL injections Henry Troup (Feb 12)
Re: PHP filter function against SQL injections Henry Troup (Feb 13)
Re: Re: PHP filter function against SQL injections ianbow (Feb 14)
- Re: PHP filter function against SQL injections, (continued)