Dylan Reinhardt wrote:
My unsolicited $.02:
You may want to think twice about relying on this for a public-facing production system.
The first rule of security for a public web site is to validate *all* client input. That includes posted values, *and* field names.
Depending on the client to post a form without tweaking the field names is a pretty trusting position to take, IMO. If you're going to validate your data anyway, what's the point of specifying data types at any point prior to validation?
Including meaningful field names in your form just gives you one more failure point... it's one more thing you should be validating but most likely aren't, or you wouldn't be using it in the first place.
The field name hack is a really neat trick... but it's not something I'd advise depending on for anything important that gets public exposure.
Could you elaborate this a little bit? I can't see any problem with using field names which hold data structure information. What you shouldn't do is _rely_ on the types (name:int etc.) for anything important, but using the names to get the data as a record or list etc. doesn't seem dangerous for me. thanks, oliver