Possibly something like this: http://en.wikipedia.org/wiki/Code_injection#HTML-script_injection_.28cross-site_scripting.29
I think what Berend is referring to is that fact that making scripts more 'flexible' like you're suggesting actually opens you up to allowing users to arbitrarily inject data into your application using common injection techniques. Years ago I found OWASP's information very helpful http://www.owasp.org/index.php/Main_Page Unfortunately application security (to my knowledge) isn't widely taught in any tertiary comp sci or dev course I'm aware of... It's something we need to learn as simple best practice. Paul -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected]
