|
|
Posted by Jim Carlock on 02/11/06 08:49
"Jim Carlock" <anonymous@127.0.0.1> wrote:
http:/ / aquaticcreationsnc . com/lib/php/test.php
Remove the spaces to visit the link above...
> The w3 validator identifies the ampersand character as the
> leading character for special character sequences. And as
> such, all ampersands should be converted to & when
> employed as part of a URI. So I configured that manually,
> for my own parameters. However, I think what I'm seeing
> here with the validator, is that the validator does not activate
> cookies and thereby PHP automatically adds an <input>
> tag with the PHPSESSID.
Okay, I figured out how to get the separator working. The
rest of the questions about the security concerns are still
valid though. The fix for the "&" ampersand character passed
into the address bar... works great on both Windows and Unix
servers.
<?php
session_start();
ini_set("arg_separator.output", "&");
?>
The other questions I'm leaving open here even though they
are a little off topic now...
--
Also, do any security risks exist? Should I be parsing the
address line passed and checking to see if anyone is trying
to pass <?PHP tags in that line?
The variables working there, are some $_GET['$iPic'] and
$_GET['$iCategory'] placed inside the hidden form input tags.
I'm seeing that PHP automatically adds an extra <input> tag?
Is that correct?
--
Thanks.
Jim Carlock
Post replies to the group.
[Back to original message]
|