[thelist] Pass vars to HTML in PHP
Ian Anderson
ian at zstudio.co.uk
Mon Apr 10 04:22:34 CDT 2006
Matt Warden wrote:
> <td bgcolor="#<?php echo (empty($_GET['color']) ? '339933' :
> $_GET['color']); ?>">
>
> This will give you the default color of #339933, unless there is a
> query string variable named 'color':
This is a tad risky as it exposes the page to XSS attacks, though, don't
you think?
I've been looking at resources like this [1] for help on such things.
Perhaps something like this on the value returned from the $_GET would
be safer?
htmlentities($_GET['color']);
Is there accepted best practice for this? What do others do?
Cheers
Ian
[1] PHP Security Guide: Form Processing
http://phpsec.org/projects/guide/2.html
--
_________________________________________________
zStudio - Web development and accessibility
http://zStudio.co.uk
Snippetz.net - Online code library
File, manage and re-use your code snippets & links
http://snippetz.net
More information about the thelist
mailing list