8 Dec
2005
8 Dec
'05
6:57 a.m.
On Thu, 8 Dec 2005 20:44:43 +0100 (CET) "Garvin Hicking" <phpmyadmin@supergarv.de> wrote:
- sanitize individually what can be echoed (like $message) with PMA_sanitize(), for XSS protection. Any need to sanitize something else?
I'm +1 for sanitizing all output depending on whether HTML is allowed or not. However I admit I haven't looked at the current code for ages. :(
You can not do any sanitizing on data inserted to MySQL - field values, SQL commands etc. ... And that's most of data we handle ;-). -- Michal Čihař | http://cihar.com