I've written a script where people can input a number to see specific random results. Would there be any potential issues with someone inserting code into the field?
It's pretty much used like this:
Code:$num = $_POST['a']; srand($num); echo $num;
| SitePoint Sponsor |
I've written a script where people can input a number to see specific random results. Would there be any potential issues with someone inserting code into the field?
It's pretty much used like this:
Code:$num = $_POST['a']; srand($num); echo $num;
Rpg Maker VX - Link bait generator
New random maker: Business Generator
Tag Maker - Tiny red spiders - Selling games
Nothing serious that I can think of unless there's a way to enter PHP code into it and have the results output. eg. ??? -- not that it would work, but you get the idea.
$_POST['a'] = "0);phpinfo();("
IMHO, it would be prudent and good habit to always validate. If it's only numbers allowed you could use trim() and is_numeric() at the least.
In addition to Mittineague's excellent advice, you should also cast the variable at an Integer.
PHP Code:<?php
$num = (Integer)$_POST['a'];
srand($num);
echo $num;
?>
@AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.
Thank you both! I'll be sure to do that
Rpg Maker VX - Link bait generator
New random maker: Business Generator
Tag Maker - Tiny red spiders - Selling games
Posting Permissions
Bookmarks