Welcome Guest, Not a member yet? Register   Sign In
Are you sure about handling SECURITY?!

Thanks for your attention...

about regex that you mentioned it's overkill! I think it is so powerful and I use it. In this case, maybe you're right, but in other cases, it will be useful and I can validate input better. Suppose users must fill an input like this: 2016-11-05. With regex I have more control on format and also inserted values that must be integers. 

As I thought (please if it is true, say is true):
  • I can validate inputs (SCENARIO 1) with form validation library while accepting data via form submitting. If they are valid, insert them into database. When I read these values to send as HTML output, I must validate via PHP built-in functions like intval, filter_var or..., if they passed validations (validating inputs is done), now with xss_clean or HTML Purifier, I escape them and finally echo them in view file and send them to user browser, right?
  • In SCENARIO 2 (that I've HTML tags), the validation is not simple. so I use HTML Purifier and then store them into database. In this case when I want to output them as HTML, should I use HTML Purifier again? Or store them without HTML Purifier and when I output them, use it?
  • Both of users that replied to this question, do not say clearly xss_clean is better or HTML Purifier (as third party)! When I use xss_clean, if there is an <script> tag, it will print [removed], and HTML Purifier remove it.
  • One more thing is I, as admin, write posts with full of tags. In this case, I use <script> tags and must be there. How could I handle this? When I use xss_clean or HTML Purifier, they removed <script>! What should I do?

Messages In This Thread
RE: Are you sure about handling SECURITY?! - by pb.sajjad - 07-17-2016, 12:48 PM

Theme © iAndrew 2016 - Forum software by © MyBB