At 11:19 PM +0200 5/25/06, afan@xxxxxxxx wrote:
As you said: Filtering. My next queston.
I have small form to activate/deactivate member's account.
<form method=post action=members.php>
<input type=hidden name=username value=<?= $Usename ?>
<input type=hidden name=status value=<?= $Status ?>
<input type=image name=action value=change src=images/status_live.gif
border=0>
</form>
and once adminisrtrator clicks on button:
if(isset($_POST['action']))
{
$Username = $_POST['Username'];
$action = ''; <================= ERROR
switch($action)
{
case 'change':
mysql_query("UPDATE members SET status='live' WHERE Username =
'".$Username."'");
break;
case 'edit':
// ...
break;
}
}
Do I have to filter $Username with mysql_real_escape_string() function
even if $Username will not be stored in DB and I use it in WHERE part?
If no - how to filter it?
Thanks
-afan
-afan:
Two things:
1. Anytime you put anything into a dB then use
mysql_real_escape_string() function. If you are NOT going to put it
in a dB, then you don't need mysql_real_escape_string() function --
understand?
2. Filtering is like the example I gave you before. You take
something that comes in from a POST and then compare that with what
you expect.
As with your example above -- what do you want $_POST('action") to
contain? (Please note the ERROR -- your code would never get into the
switch).
If you want $_POST('action") contain 'change' or 'edit' or whatever,
then test for that in the switch. It's the same as the example I gave
you. At some point here, you're going to have to start thinking about
what you're doing.
tedd
--
------------------------------------------------------------------------------------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
