[thelist] Pass vars to HTML in PHP

Ian Anderson ian at zstudio.co.uk
Mon Apr 10 04:22:34 CDT 2006

Matt Warden wrote:

>     <td bgcolor="#<?php echo (empty($_GET['color']) ? '339933' :
> $_GET['color']); ?>">
> This will give you the default color of #339933, unless there is a
> query string variable named 'color':

This is a tad risky as it exposes the page to XSS attacks, though, don't 
you think?

I've been looking at resources like this [1] for help on such things.

Perhaps something like this on the value returned from the $_GET would 
be safer?


Is there accepted best practice for this? What do others do?



[1] PHP Security Guide: Form Processing

zStudio - Web development and accessibility

Snippetz.net - Online code library
File, manage and re-use your code snippets & links

More information about the thelist mailing list