Which "someone" could do this, is another question I have. The user? He's do
something to his own computer, no?
Gerry
On 3/14/06, tedd <tedd@xxxxxxxxxxxx> wrote:
>
> Hi:
>
> I've been using a php style switcher allowing users to change css.
> The code follows:
>
> Within the head tags.
>
> <link rel="stylesheet" type="text/css" media="screen" href="<?php
> echo (!$thestyle)?'style1':$thestyle ?>.css" >
>
> Within the body tags, allowing the user to select which style they want:
>
> <a href="switch.php?set=style2">Green</a> or <a
> href="switch.php?set=style1">Red</a>
>
> And, the corresponding (switch.php) php code is:
>
> <?php
> setcookie ('thestyle', $set, time()+31536000, '/', '', 0);
> header("Location: $HTTP_REFERER");
> ?>
>
> It's pretty simple. But recently, I had one person hammer me stating
> it was a security problem because I didn't validate the user input.
> As such, he says that someone could inject an arbitrary code and
> cause problems.
>
> 1. Is he right?
>
> 2. How does that work?
>
> 3. If so, what do I do to correct this?
>
> Many thanks for any replies.
>
> tedd
> --
>
> --------------------------------------------------------------------------------
> http://sperling.com
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Gerry
http://portal.danen.org/
