PHWinfo - Afficher un message

28/04/2008, 22h13

Greetings,

Not one to second-guess users' intentions, I like to throw back at
them any text input that didn't make it through a couple of
basic preg_match()'d sanity checks. This means reloading the
form with the _unaltered_ input as respective 'value' attributes, combined
with a friendly error message for the merely befuddled. The downright
vicious may choke on their own pathetic attempts at XSS.

But, how sane is such an approach from a security perspective? Is there
anything that might come around and bite me in the ass?

Any input greatly appreciated.

Mike

28/04/2008, 22h13	#1
Michael Ruebner Messages: n/a Hébergeur:	Form Reload with Tainted Values Greetings, Not one to second-guess users' intentions, I like to throw back at them any text input that didn't make it through a couple of basic preg_match()'d sanity checks. This means reloading the form with the _unaltered_ input as respective 'value' attributes, combined with a friendly error message for the merely befuddled. The downright vicious may choke on their own pathetic attempts at XSS. But, how sane is such an approach from a security perspective? Is there anything that might come around and bite me in the ass? Any input greatly appreciated. Mike