John,
> If that text is not properly validated and escaped, you could
> be open to SQL Injection attacks
>...
> you could be open to Cross Site Scripting attacks
After reading your response, I looked the web to determine what
you meant by "properly validated and escaped".
From what I understand, "properly validated" means that you
restrict the entry as much as possible down to what would be the length
and form of input you expect. For instance, ensuring that email
addresses have an "@" mark, no spaces, a valid TLD and are limited in
length and that sort of thing.
I'm less clear on what "properly escaped" means. I thought
escaping was a matter of putting slashes before special characters, so
that their presence doesn't confuse the SQL queries one might run. Is it
possible that if one has taken at least that much precaution that a user
could still enter malicious script held in a TEXT column?
I'm not totally sure I have the concepts right, but in any case,
would anyone be willing to explain a little further what one would do to
ensure "proper" validation and escaping of text input from users in
order to increase security?
--
Yoroshiku!
Dave G
[EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
