Re: Filtering (was storing single and double quote in MySQL)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 5/25/06, afan@xxxxxxxx <afan@xxxxxxxx> wrote:
As you said: Filtering. My next queston.

I have small form to activate/deactivate member's account.

<form method=post action=members.php>
<input type=hidden name=username value=<?= $Usename ?>
<input type=hidden name=status value=<?= $Status ?>
<input type=image name=action value=change src=images/status_live.gif
border=0>
</form>

and once adminisrtrator clicks on button:

if(isset($_POST['action']))
{
  $Username = $_POST['Username'];
  $action = '';
  switch($action)
  {
    case 'change':
      mysql_query("UPDATE members SET status='live' WHERE Username =
'".$Username."'");
    break;

    case 'edit':
      //  ...
   break;
  }
}

Do I have to filter $Username with mysql_real_escape_string() function
even if $Username will not be stored in DB and I use it in WHERE part?
If no - how to filter it?

Thanks

-afan


Yes, you're sending it into the DB which means it is a command that
needs to be escaped.  All MySQL commands need to be escaped.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux