(03-22-2016, 08:42 AM)mwhitney Wrote: Finally, there is some confusion (and disagreement) on the intended meaning of "filter input". In the sense of the strictest security needs, input may be whitelisted, and any input which does not match the whitelist is rejected outright. So, you would define a set of validations which state the allowed characters, the minimum and maximum length of the data (or, for numeric values, the minimum and maximum values and whether floating point values are permitted, and, if so, their precision), and similar validations which define what the data must be in order to be permitted.
This confusion is at the very core of the problem - people need to know the difference between "filtering" and "validation".
Filtering, or sanitization, is what xss_clean() does - trying to strip only the invalid parts of the data.
Validation is what should be done with inputs - completely rejecting data that is not 100% valid.
Problems like this one are why correct terminology is important.
