Hi folks
Seems we have two schools of thought:
1) The validation/escaping approach, supported by Bill and Jim
2) The "don't mix data with code" approach supported by Peter and Greg.
As I learn more about the issues, I am increasingly veering towards the second approach.
Now I always assumed that the correct approach was always going to be D) ALL of the above.
Furthermore, if you are really concerned about passing information through the URL, consider relating data in your database to sessions, cookies, and file caches to aliase all those fields you pass back and forth to a session ID or similar. The example of "...index.html?id=34" is sufficient for much of this though I doubt 'zine articles merit greater security than this.
---------------------------(end of broadcast)--------------------------- TIP 7: don't forget to increase your free space map settings
