[nycphp-talk] Managing form data with PHP
Gary Mort
bz-gmort at beezifies.com
Sun Dec 16 10:14:07 EST 2007
David Mintz wrote:
> Once upon a time someone said it was a security risk to echo back
> $_POST data unconditionally, even if you escape it, and even though
> you are only showing them the very thing they just submitted to you.
> But I forget what that risk was. Maybe I misremember.
It depends on what your doing.
As an example, what if your the message text for an email someone sends
to your site. It's just one field, and you put your logo and framing
around it, but without much explanatory text.
Now, I trick someone with an account on your site to post to that form
and display the following text:
"There is a problem with your account. Please contact scumsucker at
212-000-0000 and have your account name and the credit card number
associated with the account to verify account ownership".
Opps, not such a good idea to display that on your site!
More information about the talk
mailing list