RestlessThoughts

There's lots of different ways to sanitize user input. For your specific examples, look at the ctype functions to check if the user enters the correct data. For example, ctype_alpha will return false with anything but letters, while ctype_alnum lets you use letters and numbers (and not things like symbols). For numbers, is_numeric would be a good test, or you could simply type cast it as an (int). ctype_alpha ctype_alnum is_numeric Integer type casting

$_SERVER['HTTP_REFERER'] seems to be your best bet, but it can be edited by users. Or have a variable started on the parent page and passed to the iframe (like iframe src="page.php?parent=blah", and then using $_GET in the iframe), though this can also be edited by users, or the parent page stored in a $_SESSION variable (which can't be user edited). Why are you wanting to use iframes anyway?

You shouldn't use javascript to solve this problem anyway, I'm sorry but it doesn't make sense to do it. You should only use javascript to enhance user experience, not for something that's absolutely necessary. Especially for something like this. Default values are the best way to go for a search page, it will function just as well as if the form was submitted. If you absolutely must have the parameters in the url, as I said before you should use a header at the very top of the page (before any html) to redirect the page if there's no parameters, or a javascript or meta redirect to do as much. if (!isset($_GET['term'])) { header('Location: page?term=&submit=Go'); } This will give you your default values as if the form was clicked on with no changes.

You could also have default values. if (!isset($_GET['term']) OR trim($_GET['term']) == '') { $_GET['term'] = 'Your Default'; } Or alternatively redirect back to the form page if there are no get values.

You move the file outside your public_html directory (or it may be a folder with your domain name ie yoursite.com), this is normally one directory (folder) up from your site. You should be able to create a new folder (not a sub-domain) where you can't direct your browser to view it by entering the url. If all else fails, use .htaccess or chmod to help prevent anyone from viewing the directory and files within.

Well you could use mod rewrite. Or you could write the link with the variables in it (ie <a href="text.com/page.php?term=&submit=Go">link</a>) or use a header('Location: test.com/page.php?term=&submit=Go') to redirect (or javascript or meta tags if you'd prefer). You could also use a form with a 'get' method that directs back to itself through the action part when a user submits it. <form action="test.com/page.php" method="get">

Thank you, that looks very interesting! I'm pretty rusty with Js, but that looks very much like what I'm wanting.

Edit: Oops, I'm too slow. Use sessions to keep track of where the user is at. If they haven't answered the question right, send them back to the previous question. <?php session_start(); if(isset($_POST['submit'])){ $number = $_POST['number']; if ($number == "elephant"){ $_SESSION['question'] = 2; header("Location: http://localhost/index-2.php"); exit();} } ?> Then on index-2: <?php session_start(); if (!isset($_SESSION['question']) OR $_SESSION['question'] != 2){ header("Location: http://localhost/index-1.php"); } ?>

Hi! I'd like to allow some user-submitted plugins or custom code bits on pages. I'm basically making an online game generator for dummies and would like to allow some extra customization. Obviously I don't want to offer the full capability of php. I found safer eval and I believe with php's tokenizer I could make a parser to check user-submitted scripts for malicious coding against a white list. (For html cleaning I'd use htmlpurifier, though I haven't found a good solution for any CSS or Javascript yet. The php cleaning seems a larger road block anyway.) I was wondering if anyone here had a better solution? I don't want to make up my own coding language and I would prefer not to have to look over each script before use. I know this is a bad idea in general, sorry if I give anyone a heart attack by my even considering doing this and thank you in advance for any help!