|
|
Posted by Rik on 07/16/06 18:39
Frankie wrote:
> "Rik" <luiheidsgoeroe@hotmail.com> wrote in message
> news:ecfda$44b6fcb1$8259c69c$13740@news2.tudelft.nl...
>>>
>>> So you're suggesting all POST data be cleaned, even if it comes
>>> from a select menu which doesn't allow user input?
>>
>> Yes. I could send raw headers to your script, but much simpler is to
>> make my own form with the apropriate names, and post it to your
>> url...
>
> Would it be more secure to send data as SESSION variables instead of
> POST variables (after initial data validation)?
You can't 'send' SESSION variables like that.
It would just mean extra code with no benefits.
Just validate your POST data with the tools that are there (is_int(),
preg_match(), mysql_real_escape_string() before using the in a
mysql_database etc.). When a value is invalid, either stop further
processing and provide a usefull error message, or set it to a default value
and use that.
Grtz,
--
Rik Wasmus
[Back to original message]
|