[nycphp-talk] PHP Form Validation
David Mintz
dmintz at davidmintz.org
Thu Sep 1 21:41:35 EDT 2005
On Thu, 1 Sep 2005, Chris Shiflett wrote:
> Cliff Hirsch wrote:
> > See: http://www.phpbuilder.com/columns/weiner20050831.php3
> >
> > Beside the primary validation content, the article uses the
> > following example, which I often see:
> > <input type="text" name="email" value="<?=$_POST['email']?>" />
>
> This is really a big problem within our community. I can't think of a
> more obvious XSS vulnerability, but here it is in an article that
> numerous developers will read and apply to their own development.
<big snip />
I can testify that reading questionable tutorials and articles can set you
way back. Granted it was back in the days when people were still using PHP
3, and security- and hygienic awareness in general was probably lower, but
when I first started using PHP I got off to a poor start relying on
register_globals, using uninitialized variables, developing without
E_NOTICE turned on, not quoting $array[key], etc, all because of following
published examples. Sure, a more experienced, heads-up developer would
have known better, but...
---
David Mintz
http://davidmintz.org/
More information about the talk
mailing list