Jasper Bryant-Greene wrote:
Anyone else could link to your page with that URL and have the script executed on your page. You can't stop this, so you have to escape and validate the data coming in.
Sorry to reply to my own message, but to clarify, I meant you can't stop others linking to your page with their own choice of GET variables. You can stop the script being executed, by using htmlspecialchars().
-- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
