Rasmus Lerdorf <mailto:[EMAIL PROTECTED]>
on Friday, May 27, 2005 4:15 PM said:
> He was apparently doing something along the lines of:
>
> foreach($_GET as $key=>$val) {
> echo <<<EOL
> <input type="hidden" name="$key" value="$val">
> EOL;
> }
>
> Probably just a lazyness thing. Generally you will want to keep track
> of which query args are actually valid and not just parrot whatever
> you get back to the user.
Oh I see.
> Or if you are going to do do it this way,
> recognize that you have to filter/encode both the query arg names and
> the values.
One question. (Because I'm a lame brain when it comes to security as I'm
not good at imagining how things can be exploited):
Is it bad to give field names the same name as their database
counterpart? i.e. In a database the first name column might be known as
'fname'. Should a form field called 'fname' NOT be created?
Chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
