Hi,

On Wed, Jun 24, 2015 at 5:49 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> Hi Xinchen,
>
> On Wed, Jun 24, 2015 at 11:42 AM, Xinchen Hui <larue...@php.net> wrote:
>
>> and for the "age" usage you replied in github, I think the author of
>> such codes should be aware, if it's only number, then  instead of
>> htmlespcicalchars($age),  he should use echo $age directly... which is
>> more faster.
>>
>
> To build secure apps, users MUST escape everything for the context by
> _default_.
> Selective escaping is the cause of injection vulnerability especially with
> language like
> PHP.
>
> Principle is "Don't think, escape all (for the context)".
>

The key word here is "context" ... you know that there's nothing to
escape for an integer, because the type is your context.

Selective escaping isn't a problem by itself, but that many people use
a blacklist approach instead of a whitelist one; and you can only fix
that with education.

Cheers,
Andrey.

-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to