Just to add my two cents -
I don't think it matters much what tokens you use to represent true
or false, since you're going to be explicitly checking them on the
server end anyway. I can't see much difference in principle between,
for example:
if ($_GET['foo'] == 'y')...
and
if ($_GET['foo'] == '1')...
or even
if ($_GET['foo'] == 'Oui')...
One should really not do be doing just
if ($_GET['foo'])
anyway. Checking that a specific value is passed, rather than just
some value that PHP evaluates to true or false, is one way to catch
possible form hacking. For general reference, there are a number of
php security howtos out there on how to sanitize user input, but I'll
leave finding them as an 'excercize for the reader' at the moment. I
suppose using 0/1 does have the advantage of 'doing the right thing'
if a "if ($_GET['foo'])" creeps into your code, though. As would
using 'Y'/''.
That being said, I've used 0/1 along with y/n in the past; it depends
on whether I'm thinking like a programmer or a human ;)
steve
At 12:36 PM -0600 12/2/07, Larry Garfield wrote:
First of all, using "y" and "n" for boolean values (such as a checkbox) is
very sloppy. "n" is boolean True. A boolean value should evaluate correctly
in a boolean context. For that, you should use 1 and 0 for your values.
What I usually do is this:
<input type="hidden" name="foo" value="0" />
<input type="checkbox" name="foo" value="1" <?php echo $checked; ?> />
Then when it gets submitted, foo will get the value of the form element that
was submitted last that has a value. That is, if the checkbox is checked
then foo will be 1, otherwise it will be 0. That gives you a nice, clean
boolean value you can rely on being present (mostly <g>).
On Sunday 02 December 2007, Ronald Wiplinger wrote:
I have now tried to add many of the security hints on a web page and
come to a problem.
I am checking if the allowed fields match the sent fields.
From the database I get the information if a checkbox is checked or not:
<?php if($DB_a =="y") {
$checked="checked";
} else {
$checked="";
}
?>
<input type="checkbox" name="R_a" value="y" <?php echo $checked ?>
If the user takes out the checkmark the value will become "" and the
field will not submitted which results in a missing field.
$allowed = array();
$allowed[]='form';
$allowed[]='R_a';
$allowed[]='R_b';
....
$sent = $array_keys($_POST);
if($allowed == $sent) {
... do some checking ...
} else {
echo "Expected input fields do not match!";
}
break;
How can I force a "n" for not checked in the input field? or how can I
solve that?
bye
> Ronald
--
+--------------- my people are the people of the dessert, ---------------+
| Steve Edberg http://pgfsun.ucdavis.edu/ |
| UC Davis Genome Center sbedberg@xxxxxxxxxxx |
| Bioinformatics programming/database/sysadmin (530)754-9127 |
+---------------- said t e lawrence, picking up his fork ----------------+
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
