oops, that should be htmlentities, not htmlspecialchars.
- Jeff
On 3-Oct-05, at 11:51 AM, Jeffrey Sambells wrote:
$PHP_SELF should not be used because it will not work without
register_globals being enabled. Rather, you should use $_SERVER
['PHP_SELF'] for it as above however...
Don't forget to check for XSS! Using PHP_SELF you could simply
change the URL in the browser to:
/path/to/script.php"><script>alert('hello');</script><b "
so always run on htmlspecialchars on PHP_SELF!
<a href="<? echo htmlspecialchars($_SERVER['PHP_SELF']).'?
action=bigger';?>">
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Jeffrey Sambells
Director of Research and Development
Zend Certified Engineer (ZCE)
We-Create Inc. ~ Internet Solutions
http://wecreate.com
jeff@xxxxxxxxxxxx
office: 519.745.7374
cell: 519.897.2552
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Get Mozilla Firefox at http://spreadfirefox.com/community/?
q=affiliates&id=466&t=50
