If you have an HTML form select field xyz with possible values "apple", "banana", and "cucumber", anyone can easily set xyz to an arbitrary value.
To prevent this, I create a hidden field code[xyz] with value: base64_encode(mcrypt_ecb( MCRYPT_RIJNDAEL_256,$salt,"apple,banana,cucumber",MCRYPT_ENCRYPT)); where $salt is stored in a file outside my webroot. The script receiving the POST data uses: mcrypt_ecb(MCRYPT_RIJNDAEL_256,$salt, base64_decode($_REQUEST[code][xyz]), MCRYPT_DECRYPT); and confirms xyz is really one of "apple", "banana", or "cucumber". Obviously, this can be extended to other types of form fields, and the check value can be a regular expression or even a function call. Is this a new idea, or have people done this before? -- We're just a Bunch Of Regular Guys, a collective group that's trying to understand and assimilate technology. We feel that resistance to new ideas and technology is unwise and ultimately futile. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php