top | item 39083710

(no title)

pierrekin | 2 years ago

I was made to do this at work also. The reasoning went something like this.

Yes of course we need to properly escape all strings that we render / use parametised queries to avoid injection attacks, however we also need defense in depth, so all fields need to reject code that looks like sql or html.

It was easier to just add this that push back. Sigh.

discuss

No comments yet.