logo

New Response

« Return to the main article

You are replying to:

  1. That?s a big leap. You assume there?s a field called DocAuthors, that its an authors field and when its passed in via the QUERY_STRING CGI var is mapped to a form which contains a DocAuthors field.

    Sure its a security problem. Anyone who exposes the Authors field unnecessarily is asking for trouble.

    The code I mentioned parses the HTTP-Request CGI variable not the QUERY_STRING so your not limited by the maximum length of a URL. All fields are created as text fields and stored in the created/edited document. As when you parse the HTTP-Request field there is no way to tell what data type the data is, because its value is just one long string. So even if you did create a field on a HTML form called DocAuthors and give it a value of ?*? it would make no difference as the field would be stored as a text field not an authors field.

    John Z Marshall

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment: