Reply To: Try out my first PHP web app!

[__]

kind of. In some ways, it’s very simple; but you still need to pay close attention. In order to do any of this, you need to be able to recognize when something actually needs to be escaped.

When you receive a comment from a form, do you need to worry about it being escaped for SQL? No, not until you actually put it in SQL.

When you get a comment from the database, do you need to worry about html being escaped? No, not until you output it to the browser.

When you get an email address from a contact form, do you need to make sure it won’t inject headers into your email? No, not until you actually use it to send an email.

The key is to make it a habitual response to escape data when it needs to be. If you decide to just sanitize everything once and for all when it comes in, you’ll never develop the habit of checking later, and so something will eventually sneak by because you assumed it had already been dealt with.