Saturday, November 1, 2003

Hacking Web Forms

By Dear Jake Howlett
When I made the PHP version of Personal Journal public yesterday I knew what was going to happen. The wannabe hackers amongst us are going to see if they can't break it. As you can see, it wasn't hard at all. In its immature state I had added no validation whatsoever. It's good to see people thinking logically like this though.
Unwittingly or not you've given me the chance to laud the abilities of PHP some more. Most of you have taken advantage of the fact that you can add HTML tags to all of the fields. What if I wanted to put an end to this? Well, I could choose to simplyremove all tags (with the option of allowing a predefined list) or I could make all HTML appear as plain text.
Both of these functions are standard features of PHP. Yes, out of the box. No extra programming required. This is what I love about PHP. From its beginning it's always been about the web, and nothing else.
Go ahead, try hacking it now. All tags in the body field will be replaced except for bold and italic text and markup in the subject will display as text. I know you can still leave all the fields blank. Come on, give me chance....

0 comments:

Post a Comment