At 9:42 AM -0400 10/3/09, Tom Worster wrote:
On 10/2/09 10:24 AM, "tedd" <tedd.sperling@xxxxxxxxx> wrote:
At 1:55 PM +0530 10/2/09, kranthi wrote:
and yes i forgot to mention... i avoid hidden form elements because
they can be modified very easily and hence pose a security threat.
That depends upon how sloppy you are in coding.
NONE of my hidden variables pose any security problems whatsoever.
...because one always assumes that data supplied in an http request is
tainted. hence arguments about which exploit is more likely is rather
pointless.
a hidden input is really no different from any other form field. kranthi's
argument would be consistent if he felt that all form inputs should be
avoided because they are so easily modified as to pose a security threat.
Exactly.
All data gathered via forms, hidden or not, must be sanitized.
Cheers,
tedd
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
