https://www.phpro.org/tutorials/Validating-User-Input.html On Fri, Jun 23, 2017 at 2:03 PM, Jeffry Killen <jekillen@xxxxxxxxxxx> wrote: > > > On Jun 22, 2017, at 6:58 PM, AshleySheridan <ash@xxxxxxxxxxxxxxxxxxxx> > wrote: > > > > On Thu, 2017-06-22 at 19:07 -0400, Aziz Saleh wrote: > >> On Thu, Jun 22, 2017 at 2:15 PM, leam hall <leamhall@xxxxxxxxx> > >> wrote: > >> > >>> > >>> Using PHP 5 and not OOP savvy. > >>> > >>> I have a form that gives the user options. On submit it calls > >>> itself > >>> and if the $_POST variable is set produces the result of the form > >>> choices. However, it currently resets all the form options to > >>> default > >>> values. > >>> > >>> Is there a tutorial somewhere on how to keep the existing form > >>> choices > >>> in place, unless the user changes the selection and resubmits? > >>> > >>> Thanks! > >>> > >>> Leam > >>> > >>> -- > >>> PHP General Mailing List (http://www.php.net/) > >>> To unsubscribe, visit: http://www.php.net/unsub.php > >>> > >>> > >> You just want the ability to have the inputs pre-selected based on > >> user > >> input? Shouldn't be hard by doing the same thing you did for the > >> actual > >> form submit for each input. > >> > >> Ex: > >> <input type="text" id="username" name="username" value="<?php echo > >> (isset($_POST['username']) ? $_POST['username'] : '';?>" /> > >> > >> You would do the same with radio/check/select, but in a different > >> manner of > >> course. > >> > >> Ps: Your email went to spam, thus the late reply. > > > > And now you've just introduced an XSS vulnerability into your > > application. Never, ever, ever trust user input; that includes all form > > data, cookies, uploads, and even the URL they request. All it takes is > > one user out of a million to be a dick, and you've got a day of > > headache and problems to fix, if you're lucky. If you want to use user > > input in your output, then escape it before outputting it. > > > > This goes for all your form fields, select lists are not immune from > > tampered values. > > > > I would use various input screening techniques before printing the user > input back to the > page, or setting any form element to the value submitted by user. > The common way is to use regular expressions to screen for hazardous > characters in the input. > > Hazardous characters are any character that is not what would be expected > from legitimate > input. But there are also character sequences that could be hazardous. > > You can go a long way by inspecting the source of the form input. If it is > not the url of the > form itself, it is probably a bogus submission > > Have your code look at $_SERVER['HTTP_REFERER']. It should be the valid > url of the > form itself. Reject any that aren't, AND reject any case where there is > no $_SERVER['HTTP_REFERER'] > value for the submission available. > > JK > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
