James G. Sack (jim) wrote: >..<big snip> > => There is no reason to have post data provide anything resembling sql. > You can always return a token (eg, "SEARCH_BY_FIRST_NAME"), and then > look up the sql from a hash (or something equivalent) >
SQL isn't the only thing to worry about protecting from spooofing. Similar patterns go for external program names or shell commands or even directory paths that users may be selecting from a option list Such precautions should maybe even apply to internal code parameter passing, but web form data is the *easiest* thing to spoof. >.. Umm, now I really will stop, O:-) Regards, ..jim -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
