Hi, On Wed, Jun 24, 2015 at 5:49 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi Xinchen, > > On Wed, Jun 24, 2015 at 11:42 AM, Xinchen Hui <larue...@php.net> wrote: > >> and for the "age" usage you replied in github, I think the author of >> such codes should be aware, if it's only number, then instead of >> htmlespcicalchars($age), he should use echo $age directly... which is >> more faster. >> > > To build secure apps, users MUST escape everything for the context by > _default_. > Selective escaping is the cause of injection vulnerability especially with > language like > PHP. > > Principle is "Don't think, escape all (for the context)". >
The key word here is "context" ... you know that there's nothing to escape for an integer, because the type is your context. Selective escaping isn't a problem by itself, but that many people use a blacklist approach instead of a whitelist one; and you can only fix that with education. Cheers, Andrey. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php