--- CJ <[EMAIL PROTECTED]> wrote:


> > Also is this a big security risk as I will be
> > echoing the 2nd variable as the contents of a form field.
> > Would it be possible for someone to type in
> > the URL with HTML/php in it that would make a mess
> > of everything?

Well, it is possible.

> >  How can I protect against this?

Validate *everything* that comes in.

> >  Would it be sufficient to just pase the 2nd variable
> > for non alphabetic characters and remove them?

A better approach would be:
1. Use method="post" instead of the default method="get"
2. You can try "limiting" the subject that a person can choose

For #2, you could create a drop-down like this:

  <select name="subject">
    <option value="1">Enquiry</option>
    <option value="2">Comments</option>
    <!-- other options here -->

Notice that your values are numeric so you can just is_numeric() to validate
them. There's a catch though--inside your script you have to turn those
numbers back into its corresponding description (e.g. "comments", etc.)

Of course, you just decide to NOT use the above way. You can have the
descriptions being pass directly. (i.e. <option>Enquiry</option>, etc.) This
time, perhaps, you can use regex or something to validate them.


- E

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to