I just remembered something (smacks myself in the head) In both my multi select and select menus I use dynamic options (meaning the options available come from a table. So: Table for states would look like this: +----------+-------------------+ | StateID | State [Label | +----------+-------------------+ | 1 | Arkansas | +----------+-------------------+ | 2 | Alabama | +----------+-------------------+ | 3 + Arizona | +----------+-------------------+ What gets stored in the database is the StateID, the column is an int. My understanding is the database just won't accept anything but an int. I mean I'm jamming on my keys now and the only thing the column will take is a real number. Based on this I think a hacker can do whatever they want by saving the page and altering the input but all it would do is fail on insertion. This make sense ? And I'm not trying to be lazy here , only practical. Of course, should I still be polite to hackers by still testing for invalid characters :) Stuart --- Graham Cossey <graham@xxxxxxxxxxxxxxx> wrote: > [snip] > > > > How would a hacker pass an HTTP message ? > > That is interesting. > > read the off-list posted message from > php-list-replies@xxxxxxxxxxxxxxxxxxxxx > > (reproduced below for the benefit of other list > members) > > Graham > ------ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
