Your Comments.

• # re: On the importance of checking inputs

  "All the HTML encoding in the world won’t save you if you’re not constraining and validating your input"
  
  What sort of meaningful constraints/validation can you do on free-text fields (apart from length)?

  Left by Duncan Smart at 2/7/2010 4:12 PM
• # re: On the importance of checking inputs

  I'd only filter out script tags and this CSS table thing hat would make IE6 crash. The rest can stay. What do I care if you add funny stuff into the page to have a laugh? Apart from the traffic, there's no harm done.

  Left by Dorian Muthig at 2/7/2010 7:49 PM
• # re: On the importance of checking inputs

  Duncan the field in question didn't need to be alphanumeric - if memory serves that portion of an Irish number plate is just numbers and a fixed length at that.
  
  Dorian, that's fine if your audience is developers, we all like a giggle. However reputation is also a factor. Imagine when that link hit the general public - sure they'd laugh, but they'd also wonder more about how safe Toyota's web site is. Although of course right now they're wondering how safe their car is.

  Left by barryd at 2/8/2010 3:59 AM
• # re: On the importance of checking inputs

  @Dorian: without encoding the problem is that you can put JavaScript in there that could steal the site admin's auth cookie when they view the data (for example).
  

  Left by Duncan Smart at 2/8/2010 8:40 AM

Your Reply.

Comment Form.

Fields denoted with a "*" are required.

*Your name:

*Subject:

You may also like to leave your email or website.

Your blog:

Your email:  (will not be displayed)

*Your message:
 

Please add 4 and 4 and type the answer here:

Enter the code shown above:

Preview Your Comment.