http://goldnuggetmuseum.com/contact_us. ... %20TO%20US
heh
Finally done - completely DONE!
Moderator: General Moderators
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Who is managing the content? They might want to consider spell checking before posting (or maybe you can charge them to develop and implement a spell checking tool. Hmm. Hmm?). Also, do they mean "collection of artifacts"?The Gold Nugget Museum web site wrote:The Gold Nugget Museum was incorperated in 1973. Our mission is to preserve and protect The Ridge heritage through our collection and artifacts and with community education programs...
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
One thing you could do is not use $_GET for the message text in your contact form. Allowing a user to pass a variable to your scripts through a URI is a big risk, unless you validate what is being passed. In your case, you could use an array index as a passed parameter and echo back the array value for that index as an error message after validating the numeric value of the $_GET var. Or you could just not use $_GET at all and rely on preprogrammed error messages based on triggers thrown by the script (I tend to use this method).
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Well, I suppose I mean whatever in the script would give cause to show the message. Relying on the $_GET['message'] var being set and then using the value of it is insecure. Ususally, I do some checking of the values of the form data and post an error message as needed. This is typically generated within the script using a check of some sort. That way nothing gets passed to the script though the URI.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
If ever displaying dynamic content, play it safe with htmlentities(), in combination with whitelisting values, example:
Code: Select all
if ($validator->isString($_GET['blah'])) {
echo htmlentities($_GET['blah']);
}