secure strings

[Anonymous]

in a form when I have a text area and in the text area only has html coding and not something like the following

(the space being called EX)

<input type="text" name="<?  $_POST['EX'] ?>great">

will a configuration using the string

$EX

will it be secure?

 

[Alexej Kubarev]

is an $ex variable a post variable? or get variable?

If its get($_GET): 100% not secure, if its a post($_POST) its not secure either, as i can submit from my page to your page... and therefore the name wil be changed... however you may use it as it should posess no thread whatsoever if you code good and thing through all the possble algorithms..

 

[Anonymous]

1) the $EX is a post variable

2)so i should keep it as

$_POST['EX']

in the input and the configuration page?

 

[Alexej Kubarev]

well... as i said..if i know the name of your post variable i can esily change it to some other name and give it a value..

The thing is that it wouldn't give me anything.. or it wil... but thats not the point..

My rule is: "NEVER trust users input"-- this goest to the post and get variables..

Therefore try to use $_POST as little as possible...

 

[Anonymous]

well EX actually is the variable (its for BM IIDX)

so use, $_POST['EX'] on the text space
but in the config use $_GET['EX']

 

[Alexej Kubarev]

okej..GET will be even worse, due to it could be whatever a user want... so thing about it... if you are using EX in the query => your script is not "SQL injection-safe"..

In most other cases its no problem thou..