On 5/25/06, afan@xxxxxxxx <afan@xxxxxxxx> wrote:
As you said: Filtering. My next queston.
I have small form to activate/deactivate member's account.
<form method=post action=members.php>
<input type=hidden name=username value=<?= $Usename ?>
<input type=hidden name=status value=<?= $Status ?>
<input type=image name=action value=change src=images/status_live.gif
border=0>
</form>
and once adminisrtrator clicks on button:
if(isset($_POST['action']))
{
$Username = $_POST['Username'];
$action = '';
switch($action)
{
case 'change':
mysql_query("UPDATE members SET status='live' WHERE Username =
'".$Username."'");
break;
case 'edit':
// ...
break;
}
}
Do I have to filter $Username with mysql_real_escape_string() function
even if $Username will not be stored in DB and I use it in WHERE part?
If no - how to filter it?
Thanks
-afan
Yes, you're sending it into the DB which means it is a command that
needs to be escaped. All MySQL commands need to be escaped.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
