David Mintz wrote:
Once upon a time someone said it was a security risk to echo back
$_POST data unconditionally, even if you escape it, and even though
you are only showing them the very thing they just submitted to you.
But I forget what that risk was. Maybe I misremember.
It depends on what your doing.
As an example, what if your the message text for an email someone sends
to your site. It's just one field, and you put your logo and framing
around it, but without much explanatory text.
Now, I trick someone with an account on your site to post to that form
and display the following text:
"There is a problem with your account. Please contact scumsucker at
212-000-0000 and have your account name and the credit card number
associated with the account to verify account ownership".
Opps, not such a good idea to display that on your site!
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
