Why do I have to validate data from DB on output?

  • This is just a curiosity question…

    As stated in codex/data_validation,

    Untrusted data comes from many sources (users, third party sites, your own database!, …) and all of it needs to be validated both on input and output.

    I dont really get it: if a data sent to my DB is correctly escaped, why would it happen to become untrusted? Especially if the field to output is a numeric data type…

Viewing 1 replies (of 1 total)

  • Basic security rule of thumb: assume nothing and check everything. If you expect the output to be numeric, then check to see that it is numeric before doing anything else.

Viewing 1 replies (of 1 total)
  • The topic ‘Why do I have to validate data from DB on output?’ is closed to new replies.