[thelist] Pass vars to HTML in PHP
Christian Heilmann
codepo8 at gmail.com
Mon Apr 10 04:33:06 CDT 2006
> > <td bgcolor="#<?php echo (empty($_GET['color']) ? '339933' :
> > $_GET['color']); ?>">
> > This will give you the default color of #339933, unless there is a
> > query string variable named 'color':
> This is a tad risky as it exposes the page to XSS attacks, though, don't
> you think?
> I've been looking at resources like this [1] for help on such things.
> Perhaps something like this on the value returned from the $_GET would
> be safer?
> htmlentities($_GET['color']);
> Is there accepted best practice for this? What do others do?
I tend to do a strip_tags on the value, or in a case like this I
really test if the value is a valid hex number and not anything else.
$bgcolor=preg_match('/[a-f|0-9]{3,6}/',$_GET['color'])?$_GET['color']:'333666';
--
Chris Heilmann
Blog: http://www.wait-till-i.com
Writing: http://icant.co.uk/
Binaries: http://www.onlinetools.org/
More information about the thelist
mailing list