|
Posted by David Dorward on 01/20/06 14:11
Greg N. wrote:
> <?php $planet = $_GET['planet']; ?>
> <h1>This planet is <?php echo "$planet"; ?></h1>
GET is tainted and needs to be sanitised before being dumped into the
page. Currently you are opening up for a cross site scripting attack.
http://uk.php.net/manual/en/function.htmlspecialchars.php should do the
job.
[Back to original message]
|