CodingForums.com - View Single Post

felgall · 01-10-2013, 06:58 AM

Validating ALL user inputs on the server before doing anything else with them will take care of most security issues - that way the attack can only be made using fields that can validly contain something that could be misinterpreted as code.

Next keep the data separate from code as much as possible - for example use prepare and bind statements for database access instead of query.

Finally where data can't be kept separate from the code (such as inserting into HTML) that's where you need to escape the data so that it can't be misinterpreted as being a part of the code.

Defense in Depth means that you might do all of these even on fields where there is no possibility of the field ever containing anything harmful after the validation step just in case someone finds a hole in your validation.

01-10-2013, 06:58 AM	PM User \| #7
felgall Master Coder Join Date: Sep 2005 Location: Sydney, Australia Posts: 5,530 Thanks: 0 Thanked 503 Times in 494 Posts	Validating ALL user inputs on the server before doing anything else with them will take care of most security issues - that way the attack can only be made using fields that can validly contain something that could be misinterpreted as code. Next keep the data separate from code as much as possible - for example use prepare and bind statements for database access instead of query. Finally where data can't be kept separate from the code (such as inserting into HTML) that's where you need to escape the data so that it can't be misinterpreted as being a part of the code. Defense in Depth means that you might do all of these even on fields where there is no possibility of the field ever containing anything harmful after the validation step just in case someone finds a hole in your validation. __________________ Stephen Learn Modern JavaScript - http://javascriptexample.net/ Helping others to solve their computer problem at http://www.felgall.com/