28 Apr
2007
28 Apr
'07
02:09
Randall R Schulz escribió: In essence you're accepting fragments of PHP code
from the client
nope. Im accepting a value of type string, that in this particular case can be used to execute malicouos code **in the client side**. You are mixing apples with pears, Sql Injection is one thing and XSS is other quite different but caused by the same problem, bad user input validation/escaping/whatever. ( not a PHP problem, btw)