> the form is submitted, do the logic check and act accordingly. Is it
> possible using $PHP_SELF as the target, or do I have to use 2 files: a
> form 'front end' with the php logic in the 'backend'??
#1. Under no circumstances should you trust JavaScript to have sanitized
your data in any way, shape or form. Furthermore, since you'll probably be
storing this data in a database, you should assume some hacker is attempting
to screw you with an age like:
$age = "38; drop table foo;";
So, when you do:
$query = "update foo set age = $age where id = $id";
What you *GET* is:
"update foo set age = $age; drop table foo; where id = $id"
Guess what? Your foo table just got deleted. Have a nice day.
So, here's a sample script for you, *complete* with some sample sanitizing:
Assumption: You have a valid "id" for the record you are editing.
This page re-displays the data after updating it, which is good for
user-interface to correct any mis-typed data.
<?php
# Initialize an "error message" for the user:
$message = '';
# If they filled in the blanks, deal with the data:
if (isset($age)){
# I believe the type-cast to (int) and back
# will foil just about any SQL-related hack for integers...
# For string data you'll have to examine the
# actual data to determine what's invalid...
$good_age = (int) $age;
$age_string = (string) $good_age;
if ($age != $age_string){
$message .= "Invalid Age '$age'<BR>\n";
}
$good_id = (int) $id;
$id_string = (string) $good_id;
if ($id != $id_string){
$message .= "Invalid ID -- Your hack attempt and IP
($REMOTE_ADDR) have been logged. Have a nice day.";
# Emailing yourself on every hack attempt may be "too much"...
# It's up to you exactly how to deal with the rats:
mail("[EMAIL PROTECTED]", "Hack attempt", "$REMOTE_ADDR tried
ID $id on $PHP_SELF");
}
if (!$message){
$query = "update foo set age = $age where id = $id";
# Displaying mysql_error() to the public is NOT GOOD.
# It exposes your internal database structure too easily.
# Log it somewhere for yourself in a production site.
mysql_query($query) or die(mysql_error());
}
}
else{
# If this is their first time here, give a blank age:
$age = '';
}
?>
<FORM ACTION=<?php echo $PHP_SELF;?> METHOD=POST>
<?php echo "<FONT COLOR=RED>$message</FONT><BR>\n";?>
<INPUT TYPE=HIDDEN NAME=id VALUE=<?php echo $id;?>>
<INPUT NAME=age VALUE='<?php echo $age;?>'>
<INPUT TYPE=SUBMIT>
</FORM>
--
WARNING [EMAIL PROTECTED] address is an endangered species -- Use
[EMAIL PROTECTED]
Wanna help me out? Like Music? Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
