Good starters. I would add one more starter item: don't blindly grab everything out of the $_POST[] array. Instead, only grab the variables that *you* put on the form page. A cracker might send you a name/value pair like "$admin=1", trying to guess what flag you are using for "admin" users.
Kirk > -----Original Message----- > From: Jason Wong [mailto:[EMAIL PROTECTED]] > Sent: Friday, April 05, 2002 11:42 AM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] Making sure a post request came from your site > > > > Ok, then how do you go about checking to make sure that submitted > > data is, in fact, benign and acceptable for your use? > > For starters: > > If it's supposed to be a number make sure that it is a number. > If it's supposed to be a name make sure it only contains > letters a-z & A-Z & > spaces. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php