Menu
▾
▴
Re: [phpesp-dev] Survey Publishing
|
From: Matthew G. <gr...@mu...> - 2002-03-30 19:25:17
|
On Thu, Mar 28, 2002 at 02:54:14PM -0500, James E. Flemer wrote:
> On Thu, 28 Mar 2002, Matthew Gregg wrote:
>
> > I need a way for users to publish their surveys that doesn't require
> > the user or the administrator to create a php include.
> > It can be very simple to start with, but I could see adding a user
> > definable CSS as an easy addition, before we make the transition into
> > XML/XLT.
> >
> > I understand the risks of accepting "tainted" user input.
> > So what's wrong with this:
> > <?php $sid=intval($id); include("/blah/public/handler.php");?>
> >
> > $id has been "un-tainted" with intval.
>
> That is fine. The only issue is of course that people (web
> users) can try different id's -- that is not necessarily a
> problem, I just wanted to keep the SID hidden from the
> user.
A thought here:
Instead of sequential why not increment SID by a larger increment and/or
perhaps add some randomness.
It would be harder for "Joe User" to try other surveys.
Of course this would add some complexity since we couldn't use mysql's
auto_increment.
--
brought to you by, Matthew Gregg...
one of the friendly folks in the IT Lab.
--------------------------------------\
The IT Lab (http://www.itlab.musc.edu) \____________________
Probably the world's premier software development center.
Serving: Programming, Tools, Ice Cream, Seminars
|
