7.12. Don't Trust User Input
The examples in this chapter take a naïve approach to user input. They expect users to send information to the scripts only though the HTML forms. They also assume users won't submit data outside expected values. Some values may be harmless. Giving a word where the script expects a number will simply result in zero. Some values may disturb the user interface. For example, a long string without any spaces may stretch an HTML page to a width that exceeds the viewable area. Randal Schwartz coined the purple dinosaur technique that involves submitting an HTML image tag where an application expects plain text. Some values may actually be harmful, such as shell commands smuggled into text fields.
Malicious users are not ...
Get Core PHP Programming, Third Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
