I've developed a CMS system where all form items are generated from a database using a datatype id. This allows me to have a simple one for all form processor that reads the preset datatype for each $_POST[field] and validates the data accordingly, so integers fields can be confirmed as such, email addresses and web addresses ran through regular expressions and so on without the need to continually look at forms and write a processor for each. I think we have about 40 unique datatypes to validate through including telephone, postal code, date formats and even a long string of pipe encapsulated data that is used as an audit trail. Seems to work quite well for what we do, and we add around 12000 rows of database records per week. On 03/06/2010 12:44, Matthew Pulis wrote: > obviously it is very good practice that you do not use client supplied > variables straight in your script / database!! > > never insert into the database some data supplied by the client without > cleaning it / escaping it! else you are really risking big time! > > if u want to be paranoid you can also encode the $_POST > > > > Matthew Pulis BSc. (Business and Computing) MSc. (Informatics) > web: www.matthewpulis.info > mob: +44 7866535953 / +356 79539404 > > > On Thu, Jun 3, 2010 at 12:20 PM, Daniel Burke<dan.p.burke at gmail.com> wrote: > > >> As $_POST data is supplied by the client you can not prevent trickery. >> >> On 3 Jun 2010 07:05, "Bob Meetin"<bobm at dottedi.biz> wrote: >> >>> I am developing some php forms that require numerous arguments in the >>> $_POST string. This works fine. Is there anything that can be >>> reasonably done to not make all the ooohs and ahhhs display in the URL >>> address bar which might appear tempting to some viewers? >>> >>> Or perhaps better, what is a standard way to bullet-proof $_POST >>> variables to prevent trickery? >>> >>> -Bob >>> -- >>> >>> * * Please support the community that supports you. * * >>> http://evolt.org/help_support_evolt/ >>> >>> For unsubscribe and other options, including the Tip Harvester >>> and archives of thelist go to: http://lists.evolt.org >>> Workers of the Web, evolt ! >>> >> -- >> >> * * Please support the community that supports you. * * >> http://evolt.org/help_support_evolt/ >> >> For unsubscribe and other options, including the Tip Harvester >> and archives of thelist go to: http://lists.evolt.org >> Workers of the Web, evolt ! >> >> -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.