Good starters. I would add one more starter item: don't blindly grab
everything out of the $_POST[] array. Instead, only grab the variables that
*you* put on the form page. A cracker might send you a name/value pair like
"$admin=1", trying to guess what flag you are using for "admin" users.


> -----Original Message-----
> From: Jason Wong [mailto:[EMAIL PROTECTED]]
> Sent: Friday, April 05, 2002 11:42 AM
> Subject: Re: [PHP] Making sure a post request came from your site
> > Ok, then how do you go about checking to make sure that submitted
> > data is, in fact, benign and acceptable for your use?
> For starters:
> If it's supposed to be a number make sure that it is a number.
> If it's supposed to be a name make sure it only contains 
> letters a-z & A-Z & 
> spaces.

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to