Greg Donald <mailto:[EMAIL PROTECTED]>
on Monday, November 15, 2004 11:08 AM said:
>> <?php
>> if ($_POST[FirstName] == "") {
>> $display_block = "<h1>Add an Entry</h1>
>> <form method=\"post\" action=\"$_SERVER[PHP_SELF]\">
>> <P><strong>First/Last Names:</strong><br>
>> <input type=\"text\" name=\"FirstName\" size=30 maxlength=75
>> <input type=\"text\" name=\"LastName\" size=30 maxlength=75
>
> It's trivial for a malicious attacker to bypass your maxlength, just
> an FYI. You should check with strlen() after the post, or possibly
> look into javascript form validation.
Greg, I'm sure you already understand this but I just wanted to add to
your statement for those that may not.
Javascript should not be relied upon for data validation as a security
measure. It should merely be used as a convenience to the user (so they
don't have to wait for a page to reload just to see some error notices)
and to take load off the server (so the server does not have to process
a page 10 times while the customer refines their input to match your
criteria). Having said that, make sure to always have server side
validation in place even if you *do* in fact also use Javascript on the
client side.
Chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
