Robert Cummings wrote:

>> function hiddenInput($document,$name,$value) {
>>     $input = $document->createElement("input");
>>     $input->setAttribute("type","hidden");
>>     $input->setAttribute("name",$name);
>>     $input->setAttribute("value",$value);
>>     return($input);
>>     }
>> Does that answer your question?
> That was what I thought.
> Cheers,
> Rob.

Is there a reason I shouldn't be doing it that way?

The reasons I like it so much, even though it requires more lines to do the same thing -

1) Mixing html and php is really ugly and difficult to maintain - sometimes even a week after I write mixed code I have issues reading it, especially when mixing html and php inside a loop. It's much easier to track down a missing } this way.

2) Let's me easily translate to valid html 4.01 for clients that don't accept xml+html

3) So far I haven't (yet) found an xss attack that works with zero input validation. Everything I've tried - even the most bizarre filter dodging tricks - seems to be nicely turned into a text node. For that reason alone it seems worth it, but that's a side effect of me choosing to do things that way. A very pleasant one, though.

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to