 |
 |
 |
 |
|
|
Date: 11/18/99
- Next message: Kristian Koehntopp: "Re: [PHPLIB] Session stuff???????????"
- Previous message: Bob Strouper: "RE: Re: [PHPLIB] oohforms: default CHECKED & radio"
- In reply to: Björn Schotte: "Re: [PHPLIB] Am I doing right?"
- Next in thread: Narinda Reeders: "Re: [PHPLIB] Security Issues"
- Reply: Narinda Reeders: "Re: [PHPLIB] Security Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Nov 18, 1999 at 06:59:04PM +0100, Björn Schotte wrote:
> > > $sess->reimport_post_vars();
> > Reimporting variables is a bad idea just for the security reasons
>
> But: if I don't call reimport_post_vars(), the entries the user
> entered in the FORM are empty ... so I browsed the manual and
> found this function. Was that wrong?
You made form variables persistent. This can only happen if you do no
validation on variable import, which is generally a no-no.
Normally you have a variable $x, which is made persistent and is "clean" and
you have a variable $f_x (form x), which is being imported from the outside
and is unvalidated. You never work with $f_x.
If $f_submit is being set, you copy $f_x to $x if validate_x($f_x) returns
true.
page_open(...);
$sess->register("x");
if ($f_submit) {
/* we are in a submit situation */
if (validate_x($f_x))
$x = $f_x;
}
page_close(); /* save $x */
No reimport needed, ever.
Kristian
-
PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>.
To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in
the body, not the subject, of your message.
- Next message: Kristian Koehntopp: "Re: [PHPLIB] Session stuff???????????"
- Previous message: Bob Strouper: "RE: Re: [PHPLIB] oohforms: default CHECKED & radio"
- In reply to: Björn Schotte: "Re: [PHPLIB] Am I doing right?"
- Next in thread: Narinda Reeders: "Re: [PHPLIB] Security Issues"
- Reply: Narinda Reeders: "Re: [PHPLIB] Security Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]