Rasmus Lerdorf <mailto:rasmus@xxxxxxxxxxx> on Friday, May 27, 2005 4:15 PM said: > He was apparently doing something along the lines of: > > foreach($_GET as $key=>$val) { > echo <<<EOL > <input type="hidden" name="$key" value="$val"> > EOL; > } > > Probably just a lazyness thing. Generally you will want to keep track > of which query args are actually valid and not just parrot whatever > you get back to the user. Oh I see. > Or if you are going to do do it this way, > recognize that you have to filter/encode both the query arg names and > the values. One question. (Because I'm a lame brain when it comes to security as I'm not good at imagining how things can be exploited): Is it bad to give field names the same name as their database counterpart? i.e. In a database the first name column might be known as 'fname'. Should a form field called 'fname' NOT be created? Chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
