I'm not quite sure what you want/need.
But i think you want to turn the _GET into _POST but want to use forms to do it, (heh dunno why but here goes...):
Code: Select all
if($_GET['var']){
echo "<form action="".$_SERVER['PHP_SELF']."" method="POST">\n";
echo "<input type="hidden" value="".$_GET['var']."" />\n";
echo "<input type="submit" value="Next Page >>" />\n";
echo "</form>\n";
} elseif($_POST['var']){
echo "var is now in $_POST :)";
}
If you use this, i'd watch out for register_globals, because its easier than normal to fake a post request.
Code: Select all
page.php?var=lol"><input type="text" name="sql" value="SELECT * FROM TABLE
with that, it would echo:
html wrote:<input type="hidden" value="lol"><input type="text" name="sql" value="SELECT * FROM TABLE" />
And if you had register_globals on, $sql would = SELECT * FROM TABLE. without you even knowing. Then it only takes a minor coding bug to exploit it.
The worst 'sploits are the small ones! - If you remember that you'll allways be safe
