8 Dec
2005
8 Dec
'05
12:57 p.m.
On Thu, 8 Dec 2005 20:44:43 +0100 (CET) "Garvin Hicking" phpmyadmin@supergarv.de wrote:
- sanitize individually what can be echoed (like $message) with
PMA_sanitize(), for XSS protection. Any need to sanitize something else?
I'm +1 for sanitizing all output depending on whether HTML is allowed or not. However I admit I haven't looked at the current code for ages. :(
You can not do any sanitizing on data inserted to MySQL - field values, SQL commands etc. ... And that's most of data we handle ;-).
--
Michal Čihař | http://cihar.com