On Friday 27 April 2007 19:09, Cristian Rodriguez R. wrote: > Randall R Schulz escribió: > > In essence you're accepting fragments of PHP code > > > from the client > > nope. Im accepting a value of type string, that in this particular > case can be used to execute malicouos code **in the client side**.
But as you said, the PHP is only running on the server. > You are mixing apples with pears, Sql Injection is one thing and XSS > is other quite different but caused by the same problem, bad user > input validation/escaping/whatever. ( not a PHP problem, btw) You've got to clarify this. I see an HTML form that submits PHP code. How is that not an avenue for an injection exploit? What is XSS? Randall Schulz -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
