|
|
Posted by Michael Fesser on 10/13/07 13:20
..oO(Summercool)
>On Oct 13, 5:29 am, Michael Fesser <neti...@gmx.de> wrote:
>
>> Actually this is a pretty simple task, in fact the PHP code for a single
>> input field could be reduced to a single line if necessary. So I'm quite
>> curious how it's done in your books.
>
><form action="self.php" method="get">
><input name="val" type="text" value="<?= $_GET["val"] ?>">
><input type="submit" value="Post it">
></form>
></div>
>
>usually they do something like this...
OK. Even if the PHP code there is quite small, it contains 3(!) errors,
one of which is critical:
1) It relies on short open tags, which is a bad idea in general, because
it's an optional feature.
Fix: Use <?php echo ... ?> to print something out. This will work on all
servers and configurations.
2) It doesn't check if there's a submitted value at all. The first call
of that page would throw a notice.
Fix: Check with isset($_GET['val']) if there is something at all before
using it. Such checks should be done for _all_ submitted variables.
3) The worst is the missing escaping of special HTML chars, which not
only breaks the form if such chars were entered (which is the problem
you encountered), it also allows for cross site scripting attacks.
Fix: Use htmlspecialchars() to escape any special chars in $_GET['val']
before printing it out. See the manual for details about the possible
parameters.
Micha
Navigation:
[Reply to this message]
|