on 15/11/02 12:11 AM, CJ ([EMAIL PROTECTED]) wrote:

> I have a "contact us" php script on my site that allows users to email
> direct from the webiste.  I want to be able to pass the to address and
> subject line to the script so I can call teh web page from elsewhere on the
> site and have it automatically choose the correct email address and subject
> line.
> EG instad of using <a href=mailto:joe@;bloggs.mail.com> which requires them
> to have an email client set up on the machine I want to link to
> <a href=contactus.php?email=director subject=job enquiry>
> The script already handles the email=director by setting a default entry in
> a drop down form but I can't get it to separate the first and second
> variables in the URL.

<a href="contactus.php?email=director&subject=job_enquiry">

> Also is this a big security risk as I will be echoing the 2nd variable as
> the contents of a form field.  Would it be possible for someone to type in
> the URL with HTML/php in it that would make a mess of everything?  How can I
> protect against this?  Would it be sufficient to just pase the 2nd variable
> for non alphabetic characters and remove them?

As I think I read replied by someone else, I'd have numeric IDs for both the
staff AND the subject.


1 = general enquiry
2 = technical support
3 = gambling addiction
4 = debate about red cars being faster

Then your link url is a lot cleaner

<a href="contactus.php?e=2&s=4">

contactus.php simply has to check an array, or sql table, or what ever, to
find out what a subject id of "1" really is.  To ensure extra security over
text stuff, you can check to make sure sure $e and $s are both numeric
(check out is_numberic(), is_int(), etc etc).

You could also set defaults, so that if the $s or $e is excluded, or
invalid, you can set a default.

So these three links won't break the the page:

<a href="contactus.php">
<a href="contactus.php?s=3">
<a href="contactus.php?e=2">

Good luck

Justin French
Web Developent & 
Graphic Design

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to