FUDforum: comp.lang.php » Good code or bad code?

Home » Imported messages » comp.lang.php » Good code or bad code?

Show: Today's Messages :: Polls :: Message Navigator

Re: Good code or bad code? [message #170204 is a reply to message #170200]

Mon, 18 October 2010 00:06

Jerry Stuckle
Messages: 2598
Registered: September 2010

Karma:

Senior Member

On 10/17/2010 6:16 PM, Magno wrote:
> On 10/17/2010 03:39 PM, Thomas 'PointedEars' Lahn wrote:
>> The correct course of action would be for you to present an argument
>> why my
>> statement is not true.
>>
>> Anyhow, for an oft-cited (and thus easily found) example (here:
>> courtesy of
>> <http://blog.oncode.info/>, slightly adapted), take this problematic, but
>> often found, `form' element:
>>
>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
>> …
>> </form>
>>
>> and this URI to trigger the PHP script containing it:
>>
>> http://foo.example/bar/myform.php/%22%3E%3C%2Fform%3EHier%20ein%20Javascrip t%3A%20%3Cscript%20type%3D%22text%2Fjavascript%22%3Ewindow.alert('Gotcha!')%3B%3C%2Fscript%3E%3Cform%20action%3D%22%2Fcontact%2Fmyform.php
>>
>>
>> (Yes, wrapping $_SERVER['PHP_SELF'] in htmlentities() or
>> htmlspecialchars()
>> would help here, but $_SERVER['SCRIPT_NAME'] usually does not require
>> to be
>> wrapped in either one. Hence my recommendation.)
>
> I use to assume everyone being wise enough to not do such an idiotic
> mistakes like not filtering what you are going to print on HTML.
>
> You must ALWAYS use htmlspecialchars, when the user interaction can
> alter anything you will print in the output.
>
>>>> RTFM and call phpinfo() for details on $_SERVER.
>>>
>>> What the OP should read is.-
>>>
>>> http://php.net/manual/en/reserved.variables.server.php
>>
>> That *is* the FM.
>
> Didn’t say it is not. Anyway there are more respectful ways for you to
> tell that to someone, other than your typical condescendence.

He doesn't know any other way - because he can't say anything intelligent.

He's a well known troll on several Usenet newsgroups besides this one.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================

Report message to a moderator

[Message index]

		Good code or bad code? By: MikeB on Sun, 17 October 2010 04:20
		Re: Good code or bad code? By: Hamish Campbell on Sun, 17 October 2010 06:33
		Re: Good code or bad code? By: MikeB on Sun, 17 October 2010 13:25
		Re: Good code or bad code? By: Jerry Stuckle on Sun, 17 October 2010 12:47
		Re: Good code or bad code? By: MikeB on Sun, 17 October 2010 13:12
		Re: Good code or bad code? By: Jerry Stuckle on Sun, 17 October 2010 13:37
		Re: Good code or bad code? By: Thomas 'PointedEars' on Sun, 17 October 2010 17:09
		Re: Good code or bad code? By: Magno on Sun, 17 October 2010 18:18
		Re: Good code or bad code? By: Thomas 'PointedEars' on Sun, 17 October 2010 18:39
		Re: Good code or bad code? By: Magno on Sun, 17 October 2010 22:16
		Re: Good code or bad code? By: Thomas 'PointedEars' on Sun, 17 October 2010 23:58
		Re: Good code or bad code? By: Hamish Campbell on Mon, 18 October 2010 06:09
		Re: Good code or bad code? By: Jerry Stuckle on Mon, 18 October 2010 00:06

Previous Topic:	buffering to allow headers in code?
Next Topic:	Stats comp.lang.php (last 7 days)

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Wed Nov 27 05:32:04 GMT 2024

Total time taken to generate the page: 0.04372 seconds