That?s a big leap. You assume there?s a field called DocAuthors, that its an
authors field and when its passed in via the QUERY_STRING CGI var is mapped to
a form which contains a DocAuthors field.
Sure its a security problem. Anyone who exposes the Authors field unnecessarily
is asking for trouble.
The code I mentioned parses the HTTP-Request CGI variable not the QUERY_STRING
so your not limited by the maximum length of a URL. All fields are created as
text fields and stored in the created/edited document. As when you parse the
HTTP-Request field there is no way to tell what data type the data is, because
its value is just one long string.
So even if you did create a field on a HTML form called DocAuthors and give it
a value of ?*? it would make no difference as the field would be stored as a
text field not an authors field.
That?s a big leap. You assume there?s a field called DocAuthors, that its an authors field and when its passed in via the QUERY_STRING CGI var is mapped to a form which contains a DocAuthors field.
Sure its a security problem. Anyone who exposes the Authors field unnecessarily is asking for trouble.
The code I mentioned parses the HTTP-Request CGI variable not the QUERY_STRING so your not limited by the maximum length of a URL. All fields are created as text fields and stored in the created/edited document. As when you parse the HTTP-Request field there is no way to tell what data type the data is, because its value is just one long string. So even if you did create a field on a HTML form called DocAuthors and give it a value of ?*? it would make no difference as the field would be stored as a text field not an authors field.
John Z Marshall