I am trying to follow this tutorial and yeah, I dont know too much about PHP.
I'm sort of hoping that it isn't too difficult to "sanitize the submitted value before passing it to the header function to prevent header injection attacks."
The tutorial is here
This is to have an unobtrusive dropdown list without using javascript (which I prefer):
Code:
<form id="page-changer" action="" method="post">
<select name="nav">
<option value="">Go to page...</option>
<option value="http://css-tricks.com/">CSS-Tricks</option>
<option value="http://digwp.com/">Digging Into WordPress</option>
<option value="http://quotesondesign.com/">Quotes on Design</option>
</select>
<input type="submit" value="Go" id="submit" />
</form>
There is no JavaScript - the form is given an ID to be targeted later. The form now POSTs to itself, and we have added a submit button, so the form is functional. The select now has a name value, so when the submit button is pressed, it will POST a value.
At the very top of our page, we'll check for a POST value from that form. If it is there, we'll redirect the page to that value.
Code:
<?php
if (isset($_POST['nav'])) {
header("Location: $_POST[nav]");
}
?>
Then - my question!
Chris Coyier goes on to say (the guy that wrote the post) -
NOTE: this is just the way-simplified PHP. You should probably
sanitize that submitted value before passing it to the header function (esp. if running PHP prior to 4.4.2 or 5.1.2) to prevent "header injection" attacks.
So - how is that done? THANKS for reading this.