Allowing user input in $_SESSION
Posted: Sun Dec 16, 2007 3:01 pm
The way my script is currently set up (I'm still developing it, so it's not live or anything), a user could put pretty much _any_ string into a $_SESSION variable. It would never be evaulated beyond this:
I don't _think_ that creates a security hole, but I'm not sure. Does it? If so, how?
Code: Select all
<html>
<body>
<form>
<input name="whatever" type="text" value="<?php if(isset($_SESSION['unsecured'])) echo $_SESSION['unsecured']; ?>">
</form>
</body>
</html>