FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Good code or bad code?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Good code or bad code? [message #170200 is a reply to message #170198] Sun, 17 October 2010 22:16 Go to previous messageGo to previous message
Magno is currently offline  Magno
Messages: 49
Registered: October 2010
Karma:
Member
On 10/17/2010 03:39 PM, Thomas 'PointedEars' Lahn wrote:
> The correct course of action would be for you to present an argument why my
> statement is not true.
>
> Anyhow, for an oft-cited (and thus easily found) example (here: courtesy of
> <http://blog.oncode.info/>, slightly adapted), take this problematic, but
> often found, `form' element:
>
> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
> …
> </form>
>
> and this URI to trigger the PHP script containing it:
>
> http://foo.example/bar/myform.php/%22%3E%3C%2Fform%3EHier%20ein%20Javascrip t%3A%20%3Cscript%20type%3D%22text%2Fjavascript%22%3Ewindow.alert('Gotcha!')%3B%3C%2Fscript%3E%3Cform%20action%3D%22%2Fcontact%2Fmyform.php
>
> (Yes, wrapping $_SERVER['PHP_SELF'] in htmlentities() or htmlspecialchars()
> would help here, but $_SERVER['SCRIPT_NAME'] usually does not require to be
> wrapped in either one. Hence my recommendation.)

I use to assume everyone being wise enough to not do such an idiotic
mistakes like not filtering what you are going to print on HTML.

You must ALWAYS use htmlspecialchars, when the user interaction can
alter anything you will print in the output.

>>> RTFM and call phpinfo() for details on $_SERVER.
>>
>> What the OP should read is.-
>>
>> http://php.net/manual/en/reserved.variables.server.php
>
> That *is* the FM.

Didn’t say it is not. Anyway there are more respectful ways for you to
tell that to someone, other than your typical condescendence.
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: buffering to allow headers in code?
Next Topic: Stats comp.lang.php (last 7 days)
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 07:52:56 GMT 2024

Total time taken to generate the page: 0.04587 seconds