[thelist] Pass vars to HTML in PHP

Richard Bennett richard.bennett at skynet.be
Mon Apr 10 04:25:45 CDT 2006


On Sunday 09 April 2006 22:45, Matt Warden wrote:
> <table>
>   <tr>
>     <td bgcolor="#<?php echo (empty($_GET['color']) ? '339933' :
> $_GET['color']); ?>">
>
> This will give you the default color of #339933, unless there is a
> query string variable named 'color':

It might be worth mentioning that this will open you up to a cross-site 
scripting vulnerability, where a attacker could read and change the cookies 
from your domain, or create fake login forms under your URL.
It is always safer to check whether the data passed into your script has the 
format you are expecting. Something like this might work:
<table>
  <tr>
    <td bgcolor="#<?php echo ((strlen($_GET['color'])==6) ?
$_GET['color']  : '339933' ); ?>">
  
Although i haven't tested it. 
You probably know all this anyway, but I thought it worth pointing out for 
those who don't.

Richard. 







More information about the thelist mailing list