You are here: Re: Need expert help with advanced form Submit question « HTML « IT news, forums, messages
Re: Need expert help with advanced form Submit question

Posted by Jonathan N. Little on 10/19/07 14:26

nice.guy.nige wrote:
> While the city slept, SaraLeePerson@gmail.com (SaraLeePerson@gmail.com)
> feverishly typed...
>
> [...]
>> <form method=post action="">
>> <INPUT type="submit" name="button">
>> <input type="hidden" name="test_Data" value="100">
>> </form>
>>
>> So basically I want to prove hitting the form submit button sends me
>> to the same page it is on, and passes some result back to it, and I
>> can take it from there. Can this be done? :)
>
> Assuming you have PHP on your server, try something like the following;
>
> <form method="post" action="<? echo $_SERVER["PHP_SELF"]; ?>">
> (rest of form...)
> </form>

I feel compelled to warn you all that you should *not* do the above
example. There is an XSS flaw in it. A safe example to demonstrate the
risk is to pass this to the example script:

http://example.com/risky.php/%22%3E%3Cscript%3Ealert('xss, time to be
worried')%3C/script%3E%3Cfoo

You will get a harmless alert box, but there are a lot more nefarious
things that can be done. There is an easy fix though, don't use the raw
URL parsed by $_SERVER["PHP_SELF"].

sanitized=htmlentities($_SERVER['PHP_SELF']); // prevent XSS insertion

Then use:

<form method="post" action="<?php echo $sanitized; ?>">




--
Take care,

Jonathan
-------------------
LITTLE WORKS STUDIO
http://www.LittleWorksStudio.com

 

Navigation:

[Reply to this message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация