NYCPHP Meetup

NYPHP.org

[nycphp-talk] Managing form data with PHP

Gary Mort bz-gmort at beezifies.com
Sun Dec 16 10:14:07 EST 2007


David Mintz wrote:
> Once upon a time someone said it was a security risk to echo back 
> $_POST data unconditionally, even if you escape it, and even though 
> you are only showing them the very thing they just submitted to you. 
> But I forget what that risk was. Maybe I misremember.

It depends on what your doing.

As an example, what if your the message text for an email someone sends 
to your site.  It's just one field, and you put your logo and framing 
around it, but without much explanatory text.

Now, I trick someone with an account on your site to post to that form 
and display the following text:
"There is a problem with your account.  Please contact scumsucker at 
212-000-0000 and have your account name and the credit card number 
associated with the account to verify account ownership".


Opps, not such a good idea to display that on your site!



More information about the talk mailing list