PHP - security etc

Eric Wilhelm scratchcomputing at
Thu Mar 8 21:21:22 GMT 2007

# from Aaron Trevena
# on Thursday 08 March 2007 12:10 pm:

>Actually, I think Paul's argument is a straw man, escaping is to do
>with handling formats of data, so that is displayed correctly - XSS,
>etc should be prevented at the point of entry, not at the last minute
>before being displayed to the user when generating templated output.

No, silly.  It's supposed to be done with a Hungarian Notation 

I think he's saying we should do this:

  my u$foo = user_supplied_value('foo');

  print u$foo;

Sure makes it look wrong to me :-D

perl -e 'srand; print join(" ",sort({rand() < 0.5}
  qw(sometimes it is important to be consistent)));'

More information about the mailing list