Greg Donald <mailto:destiney@xxxxxxxxx> on Monday, November 15, 2004 11:08 AM said: >> <?php >> if ($_POST[FirstName] == "") { >> $display_block = "<h1>Add an Entry</h1> >> <form method=\"post\" action=\"$_SERVER[PHP_SELF]\"> >> <P><strong>First/Last Names:</strong><br> >> <input type=\"text\" name=\"FirstName\" size=30 maxlength=75 >> <input type=\"text\" name=\"LastName\" size=30 maxlength=75 > > It's trivial for a malicious attacker to bypass your maxlength, just > an FYI. You should check with strlen() after the post, or possibly > look into javascript form validation. Greg, I'm sure you already understand this but I just wanted to add to your statement for those that may not. Javascript should not be relied upon for data validation as a security measure. It should merely be used as a convenience to the user (so they don't have to wait for a page to reload just to see some error notices) and to take load off the server (so the server does not have to process a page 10 times while the customer refines their input to match your criteria). Having said that, make sure to always have server side validation in place even if you *do* in fact also use Javascript on the client side. Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
