[nycphp-talk] Form action submission trickery
Cliff Hirsch
cliff at pinestream.com
Fri Nov 30 13:28:30 EST 2007
On 11/30/07 12:46 PM, "John Campbell" <jcampbell1 at gmail.com> wrote:
> An empty URI, is a valid URI that just means the current URI.
> see: http://www.ietf.org/rfc/rfc2396.txt section 4.2
Really?! Perfect. That's the answer I was hoping for. This section states is
clearly.
> it doesn't make sense if method="get"
True, but I have found that get input variables will override anything that
happens to be in the url query. I find few instances where a get form makes
much sense anyway, other than filtering/searching.
>> (Which leads to the question, is PHP_SELF safe to use, or should you escape
>> it?)
>
> Of course you have to escape it.
Which begs the question htmlspecialcharacters or htmlentities. I err on the
side of caution, using a single escaping function, to be consistent, that
calls htmlentities with the appropriate character set and ENT_QUOTES.
More information about the talk
mailing list