FAQ
Thanks Egon, this is exactly what I wanted to know.

On Sat, Jul 19, 2014 at 12:45 AM, egon wrote:
On Saturday, 19 July 2014 01:19:14 UTC+3, Rob Thornton wrote:

I'm fairly ignorant of Internet Security and, seeing as I'm going to be
writing my first web app, I wanted a bit of a clarification on one point.

If input has been escaped
How do you know it has been escaped?
is it strictly necessary to sanitize it (removing html tags for example)?
It strikes me that the html will not be rendered/executed by the browser if
the string has already been escaped but merely be displayed.

The app will not take much in the way of input except for a User name or
ID, password, email address and mailing address. If displaying this
information on a settings page, is there anything more that needs be done
to the string itself?
Use html/template package for rendering, it does escaping automatically.
Of course be careful if you are doing browser side template rendering, I'm
not sure what are the safe libraries for it.

Try to write code such that input/output code doesn't need manual
sanitization, let the packages do it for you. It's very easy to forget to
call such functions and it should be handled automatically as much as
possible.

This also applies to search. I want to ensure no code gets injected to a
DB search. Will html.EscapeSting() be adequate since it will escape the
single or double quote?
Don't add together SQL strings to construct the query/exec parameter. e.g.

// this is safe
db.QueryRow("SELECT age FROM users WHERE name = ?", name)

// this is not
db.QueryRow("SELECT age FROM users WHERE name = '" + name + "'")

Thanks,
Rob
--
You received this message because you are subscribed to a topic in the
Google Groups "golang-nuts" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/golang-nuts/F8Zuq87lHLw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

Discussion Posts

Previous

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 4 of 4 | next ›
Discussion Overview
groupgolang-nuts @
categoriesgo
postedJul 18, '14 at 10:19p
activeJul 19, '14 at 6:49p
posts4
users3
websitegolang.org

People

Translate

site design / logo © 2022 Grokbase