Filter Input, Escape Output

[auroraeosrose]

Security is a mindset, not an after the fact addition

The db stuff does a good job of mentioning using bound params to deal with sql injection but there is nothing about the other end of security - FIEO

From the first moment POST and GET are mentioned and used the idea of filtering input (validating you got what you expected) and escaping output (a wrapper with htmlspecialchars would suffice for beginners) should be introduced

Just the basics are needed, nothing fancy - an output escaper function/method to use when echoing stuff out and the use of filter_var to make sure data is right from a POST is plenty good for a beginner level, but introducing the idea of "the user is a jerk and will try to break stuff" is good for beginning dev minds ;)

[elstamey]

I am looking at this issue, and I assume this is here:
Adding Topics
Editing Topics

to filter the inputs, I would use filter_var() and strip_tags for escaping the output.

Does that seem on par with what you were looking for, @auroraeosrose ?

[auroraeosrose]

yes to filter_var for validating the input (filter is such an overloaded term) - NO to strip_tags - you want htmlentiries/htmlspecialchars for escaping output - we don't want to try to sanitize, just escape :)

[elstamey]

thank you so much!

[auroraeosrose]

No problem, Ask if you have more questions!

[halfer]

Adding a +1 for this. I was going to raise it myself with my other reports, so thanks OP for raising it.

I've had it recommended to me that htmlspecialchars() should specify a character set explicitly, and the manual suggests the same.