..... When passing via method="POST"..

Thanks as always

Really you should clean all the input (before passing to a database) because it may be injected rather than come from your nicely-formed page.

im not disputing you (thats why I asked) but how is it injected when passing over post rather by URL using GET. _ DOes that make sense??

I never clean.... if im thinking the same as your talkin about..

and you can inject with post, using a firefox plugin called "Tamper Data" ;)

I meam stripping out maliscous code. - I didn't realise you could get a hack like that. Scary. I have always relied on the fact that with checkboxes, radio buuttons, and dropdowns you supply the values that will be input through the value tag on the form.

im not disputing you (thats why I asked) but how is it injected when passing over post rather by URL using GET. _ DOes that make sense??

If I look at your page with form on it I can create a dummy page of my own that posts the required fields containing data I want to send to the same destination as specified in your form declaration.

I see. God there is so much to think about. Only I have to be double careful with this one as I am storing CV's and job seeker profiles. Is there a body that can certify the site is safe by the way.

The type="checkbox" etc is only there to tell the browser what to display. As far as PHP is concerned an input box contains anything.

You must clean all input from a form whether it's passed over get or post. The method is really irrelevant except there are some restrictions on get like only being able to pass 255 characters.

You use GET when you want to "get" some information (i.e. search results etc), you use POST when you want to put something in a database etc.