Posted: Fri Feb 03, 2006 10:59 pm
Still There?
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
that's your problem....WizyWyg wrote:The alert msg length is at 9999 characters. Im still getting unwanted characters through
Code: Select all
The following fields were either left blank or contained special characters, please fix and resubmit. \n\nYou understand that client side validation is only to improve the user experience and reduce traffic. If you are saving data into a database you need to filter it on the server side. Hackers don't need you use your page to submit data -- they can make their own with no validation and pass whatever they want. That is why server side filtering and escaping is always mandatory (ok "always mandatory" is redundant, but this is an inportant point).WizyWyg wrote:We need the validation on the submission because its all being sent by email to a database server that can't accept certain characters.
Yes Im AR about it because we cant have those cahracters pass through.
can't filter it on the database server. the server is not a 'generic' database, and the only thing it can do is receive email. takes each email and stores it as its own message. the content of each email must be "clean" so that a dump of all the messages will not be impeded. So, whatever I can do on the interface side to reduce the amount of work on the database side ( i dont have access, control or any way of seeing what / how the information received looks) the better it is.arborint wrote:You understand that client side validation is only to improve the user experience and reduce traffic. If you are saving data into a database you need to filter it on the server side. Hackers don't need you use your page to submit data -- they can make their own with no validation and pass whatever they want. That is why server side filtering and escaping is always mandatory (ok "always mandatory" is redundant, but this is an inportant point).WizyWyg wrote:We need the validation on the submission because its all being sent by email to a database server that can't accept certain characters.
Yes Im AR about it because we cant have those cahracters pass through.
Makes me want to write a Greasemonkey scriptWizyWyg wrote:can't filter it on the database server. the server is not a 'generic' database, and the only thing it can do is receive email. takes each email and stores it as its own message. the content of each email must be "clean" so that a dump of all the messages will not be impeded. So, whatever I can do on the interface side to reduce the amount of work on the database side ( i dont have access, control or any way of seeing what / how the information received looks) the better it is.arborint wrote:You understand that client side validation is only to improve the user experience and reduce traffic. If you are saving data into a database you need to filter it on the server side. Hackers don't need you use your page to submit data -- they can make their own with no validation and pass whatever they want. That is why server side filtering and escaping is always mandatory (ok "always mandatory" is redundant, but this is an inportant point).WizyWyg wrote:We need the validation on the submission because its all being sent by email to a database server that can't accept certain characters.
Yes Im AR about it because we cant have those cahracters pass through.
So, now, why is the form submitting without the State field being filled out?