Chapter 5. Dangerous Input, Cleaning Output
A review of several common boundaries and how to properly filter data for use within the context
In Chapter 1 you learned the concept of boundary validation, where data is sanitized in a manner particular to a context just before it is used in that context. In this chapter we will look at the specifics behind filtering user-supplied data for use in database queries or for presentation back to users in a browser or email client.
User-supplied data is the root of all security problems. In this case, user data is defined to include not just the text and files that a user might send to a site but also information in the Internet Protocol itself—such as the contents of the browser request. This data, when used improperly, is what becomes an XSS attack or a SQL injection. Filtering the data and escaping it for use in different contexts is how you ensure the safety of your site.
Get Cracking Drupal®: A Drop in the Bucket now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
