Welcome Guest, Not a member yet? Register   Sign In
Safe output

OK I understand it after I update my knowledge.

This site explain clear enough.


(07-02-2015, 08:14 AM)BeYourCyber Wrote: Back to question I not make sense if you want to clean output data because it use more resource when compare with clean on input.

input > clean > use 1 time clean code
output > clean > may use million time to clean it depend on time of page load

So just put the right input and clean or not clean depend on each field it will make you easier.

The logic of cleaning once vs. a million times doesn't hold up on three important points:

  1. Premature optimization: if the cleanup function takes a relatively small amount of time, it won't make a noticeable difference on your page load. You can probably find better ways to improve your page load speed without compromising on security.
  2. It's rarely a 1-time effort to clean the input, and it's rarely a reversible operation (or one you can perform on the same data multiple times). If you need to change your function to clean your data, you won't be able to run it on existing data, so you'll have to make an additional effort to fix the existing data.
  3. Your output code is trusting that the input it receives is safe.
Even if you cleaned the input to the database with the correct assumptions about your output, it doesn't guarantee that there wasn't some other attack on your server that placed malicious code into your data.

Even when you're allowing users to display example code, you need to do something to make sure it's safe. Example code should be displayed, not rendered, so you need to prevent them from breaking out of the sandbox that's created to display the code.

xss_clean() does a good job as a basic, prevent-everything type of method, but it's very limited in its usefulness (and effectiveness) because it is not specific to the output conditions.

Theme © iAndrew 2016 - Forum software by © MyBB