Glad it was helpful, thank you

You're welcome & thank you 🙌

Thank you

Happy to hear, you're welcome 🙌

Thanks a lot!

Thank you

You're welcome 💙

Thank you 🙌

Thanks 🙏

It's ok to write ugly code first & then refactor. My usual goal is to get it working regardless of how code looks. Then if it looks ugly I refactor it. Sometimes it doesn't look ugly, sometimes it does. That being said, I don't take too long to refactor because then it will never be done and you would just be building on more tech debt. I refactor it mostly on the same day, so I write & get it to work first & then right away refactor it.

@@ProgramWithGio Okay great Gio. The way you described it being done in the same day makes a lot of sense. And then not accumulating tech debt (I like that phrase lol.) Seems like a pretty good idea.

Hello, what do you mean by a "stream course"?

😁 🇬🇪🇬🇪

Thanks for the suggestion 🙌

Nice

Good way to look at it 😄

Generally I agree but you should save data in database table as is, as I stated in video it can cause bad user experience if you start converting HTML entities on save or removing HTML elements, a long text entered by user in a note field can contain special characters that are not harmful but you sanitizing and removing or converting them will hurt the UX when displaying that data not to even mention double escape. So rule of thumb is escape on output and HTML person or the one working on front-end should know that, and in backend you sanitize what you need but try to save the original text as is in the database table. Maybe you misunderstood, I don't mean to pass raw text in queries, of course you would still use prepared statements which protects you from SQL injection, I mean saving text safely in the database in it's raw form.

Also not sure what you mean by 3rd party libraries? We are not using any third party library, we are using Twig templating engine which is jus that a templating engine and provides protection. Even if you use plain PHP templates you still need to escape it manually otherwise you are vulnerable to XSS whether you sanitize data in backend on save or not.

@@ProgramWithGio Hey Gio, really like your series. I don't disagree with really anything you've said. As I stated, sanitize what you NEED to sanitize, ie, what you ShOULD sanitize BEFORE it goes into the DB and when you RETRIEVE it from the DB. As the developer, you should know what they are; what fields; what sorts of data. Obviously, if you have comments data that allows for html, you don't want to completely sanitize that. You may want to allow for some css styling, but remove script tags. On the other hand, I think it's bad practice to let the HTML guy work with dangerous data and give him the power/opportunity to make bad mistakes. Anything that should be sanitized should already be sanitized before he gets his hands on it at the presentation/html level, in my view. Whatever data he works with should be harmless and innocuous and pre-sanitized. Twig is not native to PHP, so it is a kind of 3rd party library? External templating engines may be a good choice, but ultimately, optional. Personally, it doesn't seem to be a good idea to rely on templating engines to protect you against XSS attacks. All data should already be sanitized by the time it is handed over to the presentation layer. Enjoy your videos, Gio!

@@Octavus5 yea for sure, sanitize what you need to sanitize but I think you are misunderstanding something. Twig has nothing to do here, even if it's regular PHP you have to escape all output regardless if it's safe or not. Same way frontend can't rely on backend to have everything sanitized. All output should always be escaped on display, regular PHP that's done via htmlspecialchars function, in js context it's done via json_encode and so on. XSS is very dangerous and can't be taken lightly, it's not something only backend can take care of, person working on front-end should be well aware of what XSS is and how to properly escape it. Data may not be coming from database, it may be coming from API in which case you can't guarantee it to be "safe" and sanitized, so it should always be escaped. Templating engines just make it easier, we just happen to be using Twig in this series, if we weren't then we would be using htmlspecialchars to escape on display. I almost never apply htmlspecialchars on backend on save because that is worse in many cases where it opens up for double escape problems. Thank you btw 💙💙

Maybe the confusion is with wording "sanitize" vs "escape". Sanitize/filter input before going to database I agree, but escape on output. Here is one article where you can read more about it, I do disagree with couple of his points but is still worth a read: benhoyt.com/writings/dont-sanitize-do-escape/ And discussion on Reddit if you want to see what others think about it: www.reddit.com/r/PHP/comments/s32zcu/dont_try_to_sanitize_input_escape_output/hsifnhk?context=3

😂