|
What is filtering, validation, output escaping, and why do it?
What is filtering?
.
- Filtering transforms values
- Example: strip_tags() removes HTML tags
What is validation?
.
- Validation verifies values
- Performed against a set of rules
- Example: strlen() checks the length of a string
What is output escaping?
.
- Makes information safe for display
- Can involve literally escaping values (e.g. quotes)
- Example: htmlspecialchars() converts < and >
Why would you filter, validate or escape output?
.
- Important component in protecting against common attacks
- Prevents breaks in strings
- Helps to keep data "clean"
- Often you want to do all three
- NOTE: sometimes validation is more appropriate than filtering!
|
|