> -----Original Message----- > From: afan@xxxxxxxx [mailto:afan@xxxxxxxx] > Sent: 25 May 2006 22:19 > To: tedd > Cc: Eric Butera; php > Subject: Re: Filtering (was storing single and double quote in > MySQL) > > As you said: Filtering. My next queston. > > I have small form to activate/deactivate member's account. > > <form method=post action=members.php> > <input type=hidden name=username value=<?= $Usename ?> > <input type=hidden name=status value=<?= $Status ?> > <input type=image name=action value=change src=images/status_live.gif > border=0> > </form> > > and once adminisrtrator clicks on button: > > if(isset($_POST['action'])) > { > $Username = $_POST['Username']; > $action = ''; > switch($action) > { > case 'change': > mysql_query("UPDATE members SET status='live' WHERE Username = > '".$Username."'"); > break; > > case 'edit': > // ... > break; > } > } > > Do I have to filter $Username with mysql_real_escape_string() function > even if $Username will not be stored in DB and I use it in WHERE part? > If no - how to filter it? > > Thanks > > -afan Always sanitise data provided externally; whether it's from the user directly (e.g. a POST form or a URL query string (GET)) or from the browser (e.g. cookie data)... always assume it can never be trusted (there are some nasty people out there) In this case using mysql_real_escape_string() on the supplied username should be enough for most injection attacks ( http://www.google.co.uk/search?hl=en&q=sql+injection&meta= ), but to be more sure try this (if your username is alphanumeric only with spaces): if(isset($_POST['action'])) { $Username = preg_replace('/[^a-zA-Z0-9]+/', '', $_POST['Username']); $action = ''; switch($action) { case 'change': if (!empty($Username)) mysql_query("UPDATE members SET status='live' WHERE Username = '".$Username."'"); break; case 'edit': // ... break; } } I think that's right :) Dan -- http://chrome.me.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
