[snip] > > How would a hacker pass an HTTP message ? > That is interesting. read the off-list posted message from php-list-replies@xxxxxxxxxxxxxxxxxxxxx (reproduced below for the benefit of other list members) Graham ------ From: php-list-replies@xxxxxxxxxxxxxxxxxxxxx [mailto:php-list-replies@xxxxxxxxxxxxxxxxxxxxx] Sent: 21 October 2004 23:07 To: Graham Cossey; Stuart Felenstein Subject: RE: Question: Validation on select boxes and lists. you have to remember that the user isn't really "filling in a form on your site", rather they are "retrieving a page from your site, storing it on their machine (most times temporarily in their browser) and then sending it back to your site". if you think of it in the latter manner you'll realized that while they have it on their machine, the user can save and edit the form to meet their desires before sending it back. as such, *all* data input, (whether from a text area, pulldown, checkbox, or radio button) should be validated on your side. an amusing thing to do is to find a site/page that puts prices as the values on say a pulldown or checkbox. edit these values to something more to your liking and then submit the form. you could end up being charged your "price of choice", rather than what the site thought they were going to charge you. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
