[nycphp-talk] PHP Form Validation
Billy Reisinger
mail at billyreisinger.com
Thu Sep 1 22:36:40 EDT 2005
On Sep 1, 2005, at 6:37 PM, Chris Shiflett wrote:
> Cliff Hirsch wrote:
>
>> See: http://www.phpbuilder.com/columns/weiner20050831.php3
>>
>> Beside the primary validation content, the article uses the
>> following example, which I often see:
>> <input type="text" name="email" value="<?=$_POST['email']?>" />
>>
>
> This is really a big problem within our community. I can't think of a
> more obvious XSS vulnerability, but here it is in an article that
> numerous developers will read and apply to their own development.
>
Correct me if I'm wrong here, folks, but using a $_POST['variable']
directly in a form is no more or less vulnerable to attack than using
a different variable that is a reference to a $_POST variable. If
you want to carry over form values after errors or across multiple
form pages (i.e. preserve state), you have to reference these $_POST
variables eventually, in some form or fashion. In this sense, ALL
forms are vulnerable to hacks. It should be a necessary step for
you to validate and protect yourself against any variable that your
users can change.
More information about the talk
mailing list