NYCPHP Meetup

NYPHP.org

[nycphp-talk] PHP Form Validation

Billy Reisinger mail at billyreisinger.com
Thu Sep 1 22:36:40 EDT 2005


On Sep 1, 2005, at 6:37 PM, Chris Shiflett wrote:

> Cliff Hirsch wrote:
>
>> See: http://www.phpbuilder.com/columns/weiner20050831.php3
>>
>> Beside the primary validation content, the article uses the
>> following example, which I often see:
>> <input type="text" name="email" value="<?=$_POST['email']?>" />
>>
>
> This is really a big problem within our community. I can't think of a
> more obvious XSS vulnerability, but here it is in an article that
> numerous developers will read and apply to their own development.
>

Correct me if I'm wrong here, folks, but using a $_POST['variable']  
directly in a form is no more or less vulnerable to attack than using  
a different variable that is a reference to a $_POST variable.  If  
you want to carry over form values after errors or across multiple  
form pages (i.e. preserve state), you have to reference these $_POST  
variables eventually, in some form or fashion.  In this sense, ALL  
forms are vulnerable to hacks.   It should be a necessary step for  
you to validate and protect yourself against any variable that your  
users can change.




More information about the talk mailing list