Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cross site scripting defense

Status
Not open for further replies.
jimmyshoes

jimmyshoes

Programmer
Jun 1, 2008
132
GB
I'm using htmlEditFormat() as a defence against cross site scripting. My question is where should you insert this function. If you are collecting data from a form, uploading it to a table and then later showing the data in the table, is it common practice to run htmlEditFormat() before you insert the data into the database table or is it better to save the data to the database in whatever form it is entered, and then run htmlEditForat() on the variables as they are output to the user during a later search?

Thanks
 
Sort by date Sort by votes
if you "save the data to the database in whatever form it is entered" you will eventually get hacked by SQL injection

htmlEditFormat is insufficient, by the way

for example, it won't stop "little bobby tables"

;-)

r937.com | rudy.ca
Buy my new book Simply SQL from Amazon
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Mike Lewis
  • Locked
  • Question
Using Dreamweaver to maintain a site not created in Dreamweaver
Replies
2
Views
260
Mike Lewis
Mike Lewis
lollieleaver
  • Locked
  • Question
Dreamweaver CS4 - how can I make an Access database downloadable from my site?
Replies
2
Views
89
lollieleaver
lollieleaver
Guthro
  • Locked
  • Question
Save site data DW8 and Win7
Replies
2
Views
72
Guthro
Guthro
raist3001
  • Locked
  • Question
Update multiple files in a site
Replies
2
Views
87
KozarTech
KozarTech
brettco
  • Locked
  • Question
Crosstabs help in Cold Fusion
Replies
0
Views
67
brettco
brettco

Part and Inventory Search

Sponsor

Back
Top