> the form is submitted, do the logic check and act accordingly.  Is it
> possible using $PHP_SELF as the target, or do I have to use 2 files: a
> form 'front end' with the php logic in the 'backend'??

#1.  Under no circumstances should you trust JavaScript to have sanitized
your data in any way, shape or form.  Furthermore, since you'll probably be
storing this data in a database, you should assume some hacker is attempting
to screw you with an age like:

$age = "38; drop table foo;";

So, when you do:

$query = "update foo set age = $age where id = $id";

What you *GET* is:

"update foo set age = $age; drop table foo; where id = $id"

Guess what?  Your foo table just got deleted.  Have a nice day.

So, here's a sample script for you, *complete* with some sample sanitizing:

Assumption:  You have a valid "id" for the record you are editing.

This page re-displays the data after updating it, which is good for
user-interface to correct any mis-typed data.

    # Initialize an "error message" for the user:
    $message = '';

    # If they filled in the blanks, deal with the data:
    if (isset($age)){
        # I believe the type-cast to (int) and back
        # will foil just about any SQL-related hack for integers...
        # For string data you'll have to examine the
        # actual data to determine what's invalid...

        $good_age = (int) $age;
        $age_string = (string) $good_age;
        if ($age != $age_string){
            $message .= "Invalid Age '$age'<BR>\n";

        $good_id = (int) $id;
        $id_string = (string) $good_id;
        if ($id != $id_string){
            $message .= "Invalid ID -- Your hack attempt and IP
($REMOTE_ADDR) have been logged.  Have a nice day.";
            # Emailing yourself on every hack attempt may be "too much"...
            # It's up to you exactly how to deal with the rats:
            mail("[EMAIL PROTECTED]", "Hack attempt", "$REMOTE_ADDR tried
ID $id on $PHP_SELF");

        if (!$message){
            $query = "update foo set age = $age where id = $id";
            # Displaying mysql_error() to the public is NOT GOOD.
            # It exposes your internal database structure too easily.
            # Log it somewhere for yourself in a production site.
            mysql_query($query) or die(mysql_error());
        # If this is their first time here, give a blank age:
        $age = '';
    <?php echo "<FONT COLOR=RED>$message</FONT><BR>\n";?>
    <INPUT TYPE=HIDDEN NAME=id VALUE=<?php echo $id;?>>
    <INPUT NAME=age VALUE='<?php echo $age;?>'>

WARNING [EMAIL PROTECTED] address is an endangered species -- Use
Wanna help me out?  Like Music?  Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to