[thelist] Pass vars to HTML in PHP
Richard Bennett
richard.bennett at skynet.be
Mon Apr 10 04:25:45 CDT 2006
On Sunday 09 April 2006 22:45, Matt Warden wrote:
> <table>
> <tr>
> <td bgcolor="#<?php echo (empty($_GET['color']) ? '339933' :
> $_GET['color']); ?>">
>
> This will give you the default color of #339933, unless there is a
> query string variable named 'color':
It might be worth mentioning that this will open you up to a cross-site
scripting vulnerability, where a attacker could read and change the cookies
from your domain, or create fake login forms under your URL.
It is always safer to check whether the data passed into your script has the
format you are expecting. Something like this might work:
<table>
<tr>
<td bgcolor="#<?php echo ((strlen($_GET['color'])==6) ?
$_GET['color'] : '339933' ); ?>">
Although i haven't tested it.
You probably know all this anyway, but I thought it worth pointing out for
those who don't.
Richard.
More information about the thelist
mailing list