Re: Self-Process php forms or not?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 9:42 AM -0400 10/3/09, Tom Worster wrote:
On 10/2/09 10:24 AM, "tedd" <tedd.sperling@xxxxxxxxx> wrote:

 At 1:55 PM +0530 10/2/09, kranthi wrote:
 and yes i forgot to mention... i avoid hidden form elements because
 they can be modified very easily and hence pose a security threat.

 That depends upon how sloppy you are in coding.

 NONE of my hidden variables pose any security problems whatsoever.

...because one always assumes that data supplied in an http request is
tainted. hence arguments about which exploit is more likely is rather
pointless.

a hidden input is really no different from any other form field. kranthi's
argument would be consistent if he felt that all form inputs should be
avoided because they are so easily modified as to pose a security threat.

Exactly.

All data gathered via forms, hidden or not, must be sanitized.

Cheers,

tedd
--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux