right... but here again, you're talking about the server app, getting the query, and validating the information within the query. since i assume the '%x' chars traslate into something other than straight text, i assume that the html function you mention strips out these chars, or it returns a true/false if the data is valid. is this in essence what you're talking about? -bruce -----Original Message----- From: Jasper Bryant-Greene [mailto:jasper@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, September 21, 2005 5:09 PM To: 'PHP Mailing Lists' Subject: Re: security/sql issues with php bruce wrote: > thanks for the replies... i think i understand what you're stating.. > but i'm still confused as to why my app/server would allow a GET/POST > piece of data that would/should be originating from a form on my site > to come from a 3rd party/external site/app? i would have assumed that > there are relatively easy/straight-forward methods to resolve this. If you're using GET, then the URL in the user's address bar would look like this: http://www.example.com/myscript.php?myvar1=some&myvar2=value It's painfully easy for even the most novice of users to edit the values to say, for example: http://www.example.com/myscript.php?myvar1=%3Cscript%20type%3D%22text%2Fjavascript%22%3Ealert%28%27hello%27%29%3C%2Fscript%3E&myvar2=value Which, if you outputted $_GET['myvar1'] without htmlspecialchars() escaping, would happily execute a JS script on your page. That's a rather benign example (simply pops up a "hello" box), but it wouldn't be difficult to do something worse. Anyone else could link to your page with that URL and have the script executed on your page. You can't stop this, so you have to escape and validate the data coming in. POST is a little more difficult but it is still really easy for a slightly more clued-up user to edit the data, or another website to POST data from their form to your script. -- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
