Posted by Brian Tipton on 08/17/05 23:48

Ken Robinson wrote:
> kane_bond@yahoo.com.au wrote:
>
>>Hi,
>>
>>Im not all that great with PHP, but this should be a simple one
>>
>>I want to inster a URL paramater into the default value of a field of a
>>form
>>
>>eg.
>>
>>/test.php?MYVALUE=hello
>>
>>then i want:
>>
>><input name="Name" type="text" id="Name" value=MYVALUE size="40">
>>
>
> You want
> <input name="Name" type="textg" id="Name" value="<? echo
> $_GET['MYVALUE'] ?>" size="40">
>
> or you can use PHP to write out the entire string:
> <?php
> echo '<input name="Name" type="textg" id="Name" value="' .
> $_GET['MYVALUE'] . '" size="40">'."\n";
> ?>
>
> Ken
>
I may be wrong, but allowing the raw use of URL submitted information in
this manner is a potential security risk and should never be done. It
would be better to clean the value with something like:

$clean_myvalue = strip_slashes($_GET['MYVALUE']);

There are other ways to clean values and you might want to look at
Shiflett's papers at http://www.phpsec.org/library/ as a place to start,
especially the one on Data Filtering.

Anyway, after the value is cleaned, the echo statement becomes:

echo '<input name="Name" type="text" id="Name" value="' .
$clean_myvalue . '" size="40">'."\n";

While Ken's suggestion will work, it is not best practice.

Hope it helps.

Brian

[Back to original message]