Good starters. I would add one more starter item: don't blindly grab
everything out of the $_POST array. Instead, only grab the variables that
*you* put on the form page. A cracker might send you a name/value pair like
"$admin=1", trying to guess what flag you are using for "admin" users.
> -----Original Message-----
> From: Jason Wong [mailto:[EMAIL PROTECTED]]
> Sent: Friday, April 05, 2002 11:42 AM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP] Making sure a post request came from your site
> > Ok, then how do you go about checking to make sure that submitted
> > data is, in fact, benign and acceptable for your use?
> For starters:
> If it's supposed to be a number make sure that it is a number.
> If it's supposed to be a name make sure it only contains
> letters a-z & A-Z &
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php