|
|
Posted by Rik on 05/14/06 17:39
nescio wrote:
>> You don't control posting to a script, it could contain everything.
>> Name your desired variables, loop through the $_POST/$_GET array,
>> and check how many "known" variables is contains. It's tempting to
>> think of shortcuts, but this isn't the place to cut corners.
>
> so, is it better to use $_POST instead of $_REQUEST?
> or do these problems also occur with $_POST?
I'd say so, although is doesn't make that much of a difference
> it is a bit difficult to explain why this is important to me, but i
> will try.
>
> i am builing an application that uses the column names from a
> database. people can choose some of these columns, then a form is
> build that uses the column names as the names in the form.
>
> after sending the form, these names are used to build the query.
> this is possible because the names in the form are the same as the
> column names in de database.
> so i have to know which elements of the request can to be part of the
> query and which can't (like 'submit' and 'phpsessid')
>
> i can't give them the names you suggested because the have to
> correspond with the column names in the database.
The problem here is when you use your form, you can sort of control what
comes back after submitting the form. People can post to your script without
using the form though, so you can't really trust what is posted. Also, if
you''d change the location or surrounding code of the script it could break.
Several solutions come to mind, for instance naming hidden inputs "field[]",
and store the fieldnames in there, but that still relies on the
post-variables. As you're already using a session, why not add an array with
the fields to use there?
You can then just:
foreach($_SESSION['fields'] as $fieldname){
//do stuff with $_POST[$fieldname]
}
And leave the rest of the $_POST variables alone?
Grtz,
--
Rik Wasmus
Navigation:
[Reply to this message]
|