I have a small question with Sanitize library, as I'm not really good
at solving security problems that may arise in my application.
As I've already know, Sanitize comes with lots of method: paranoid,
escape, html, etc.
But I wonder when to use which method, and I'm really confused with
it.
For instance, I have a form with a title field, a body field, a
datetime field and a select field. Before saving my POSTed data to the
database, what should I do to the data?
I mean, I want the title to be SQL-safe, but it should support all
kinds of legit character: spaces, quote ('), Unicode chars, etc. When
I try paranoid, the ' is stripped, and when I use escape, it turns
into &#...; which looks ugly in the edit form.
Then, the body. I want it to be formatted with Textile, so what
sanitizing method should I use? The same question goes for datetime
field and select field? Should I filter these submitted data, or
assume that no one can harm my application by changing the HTML
beneath them?
Well, hope that I made it clear. English is not my mother-tongue.
Thanks for you advices in advanced.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
