On 6/17/06 3:07 PM, Anthony Ettinger wrote:
it's more like painting the color of your front door, but still leaving it unlocked. It doesn't change the fact that people can still open the door. every input field needs to be validated regardless of get vs. post. the web developer toolbar for firefox can easily convert all form fields to one or the other, so it's trivial to send a get request as post, and vice-versa.
Which is why, if you read the last paragraph of my post, it said that there are two things you must do: 1) always check the origin of the input and 2) always filter (validate) the input.
-- Ben Ramsey http://benramsey.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
