[ap 2.03] security of comments

I changed the templates of ap 2.03 to prompt for a street address for a client I am doing some work for, so as their customers can request more info (yes, I registered ap yesterday).

I am not hence outputting the comments in the poll forms itself. However, I was wondering if someone could just invoke comments.php?id=x&..... with some sort of param to view the "comments" anyway or pass something else to one of the other php scripts in there to do this.

I'm a perl jockey and just cracked a php book today, which makes me nervous. I didn't see anything since it looks like you have to call the view_poll_comments method in the poll class, but want to be sure.

Thanks!

I forgot about the various demo_?.php scripts, some which reveal the comments. So I chmod'ed them shut.

Still would like to know about original question though. Thanks.

Not sure if people can do that.

I think they have to have an instance of the method you mentioned.

All guess work mind you, why don't you try it for yourself?

edit; even if you did collect the addy and store it in the db it would only display if you edited the files and templates to display it. Unless you made them put the addy in the comments field.

Auron wrote:All guess work mind you, why don't you try it for yourself?

I have, but I'm not comfortable enough with PHP to have confidence that I've tried everything possible!

Auron wrote:
edit; even if you did collect the addy and store it in the db it would only display if you edited the files and templates to display it. Unless you made them put the addy in the comments field.

I stashed it in the comments field. I just changed the template to say enter address, trying to avoid changing the code and db structure which would make upgrading ap more of a hassle in the future.

Thanks for the reply!