NYCPHP Meetup

[David Krings]

John Campbell wrote:
> On a similar subject:
> If your solution is to "validate input" or "input filtering", you are
> going about things all wrong.  Validating input is for the birds;
> prepared sql and output escaping is the way to go.  I don't give a
> shit if my user's use names like "<a href='javascript:blahblah'>" ,
> just like my web email client doesn't filter it from this post.  I
> default to escaping the html automatically when I send it to the view,
> and all queries are prepared.  It makes coding much easier, and I
> don't have to worry about forgetting to call esc() once.
> 
> When coders hear "don't trust user input" it foolishly gets translated
> to "validate the user's input" and that is one of the primary problems
> with php coders today.  I trust all user input and just escape it for
> the db and display.  I occasionally validate the input, but that is
> just to make sure the user didn't make a typo.

That is what I still would call input validation. The validation is not 
about the sense of the input, but about it being valid for processing by 
the system. At leat you and I mean the same thing. When I say "all input 
is evil" then I mean that you need to check it for being fit for queries 
and display. So yes, if a user wants to be refered to by "<a 
href='javascript:blahblah'>" then I'd not stop them from it.

David