On Wed, Mar 10, 2010 at 22:27, Jochem Maas <joc...@iamjochem.com> wrote:
> Op 3/10/10 6:23 PM, Joseph Thayne schreef:
>> Looks to me like you are closing your form before you put anything in
>> it. Therefore, the loan_amount is not set making the value 0. Follow
>> the math, and you are dividing by 1-1.
>> Change this line:
>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"></form>
>> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
> this is a XSS waiting to happen. I can put something like the following in
> the request uri:
> index.php?" onsubmit="evil()"><script
> with regard to the original problem - some input validation is in order.
PHP_SELF doesn't contain the query string, so your particular attack
wouldn't work. It's still a security issue though.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php