> On Jun 22, 2017, at 6:58 PM, AshleySheridan <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > > On Thu, 2017-06-22 at 19:07 -0400, Aziz Saleh wrote: >> On Thu, Jun 22, 2017 at 2:15 PM, leam hall <leamhall@xxxxxxxxx> >> wrote: >> >>> >>> Using PHP 5 and not OOP savvy. >>> >>> I have a form that gives the user options. On submit it calls >>> itself >>> and if the $_POST variable is set produces the result of the form >>> choices. However, it currently resets all the form options to >>> default >>> values. >>> >>> Is there a tutorial somewhere on how to keep the existing form >>> choices >>> in place, unless the user changes the selection and resubmits? >>> >>> Thanks! >>> >>> Leam >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> You just want the ability to have the inputs pre-selected based on >> user >> input? Shouldn't be hard by doing the same thing you did for the >> actual >> form submit for each input. >> >> Ex: >> <input type="text" id="username" name="username" value="<?php echo >> (isset($_POST['username']) ? $_POST['username'] : '';?>" /> >> >> You would do the same with radio/check/select, but in a different >> manner of >> course. >> >> Ps: Your email went to spam, thus the late reply. > > And now you've just introduced an XSS vulnerability into your > application. Never, ever, ever trust user input; that includes all form > data, cookies, uploads, and even the URL they request. All it takes is > one user out of a million to be a dick, and you've got a day of > headache and problems to fix, if you're lucky. If you want to use user > input in your output, then escape it before outputting it. > > This goes for all your form fields, select lists are not immune from > tampered values. > I would use various input screening techniques before printing the user input back to the page, or setting any form element to the value submitted by user. The common way is to use regular expressions to screen for hazardous characters in the input. Hazardous characters are any character that is not what would be expected from legitimate input. But there are also character sequences that could be hazardous. You can go a long way by inspecting the source of the form input. If it is not the url of the form itself, it is probably a bogus submission Have your code look at $_SERVER['HTTP_REFERER']. It should be the valid url of the form itself. Reject any that aren't, AND reject any case where there is no $_SERVER['HTTP_REFERER'] value for the submission available. JK -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
