although you should be filtering input in order to avoid sql injection cross-site-scripting and other related nasties you shouldn't be using htmlentities() in order to protect against sql injection. filter the incoming data, e.g.: $a = intval($_GET['a']); // you want only integers $a = floatval($_GET['a']); // you want only floats $a = strip_text($_GET['a']); // you do want html especially go read this page and use the filter extension if you can: http://nl2.php.net/filter and then escape your data properly according to the context it is being used, e.g.: mysql_real_escape_string(); // for using data in a mysql query htmlentities(); // for using data in a webpage itoctopus wrote: > Since you're new to this, always be sure to clean up the output you get from > $_GET or $_POST to avoid sql injection. > > Fore example: $search_value = htmlentities($_GET['search_value'], > ENT_QUOTES); > If you're casting to something other than a string (such as int) than you're > safe and you don't have to use htmlentities. > > -- > itoctopus - http://www.itoctopus.com > ""Jeff"" <akaman@xxxxxxxxxxx> wrote in message > news:4B.85.42584.E9DF1064@xxxxxxxxxxxxxxx >> Thank you Chris! >> >> "Chris" <dmagick@xxxxxxxxx> wrote in message >> news:4601EFD9.2050103@xxxxxxxxxxxx >>> Jeff wrote: >>>> I want to thank you all for clearing me up on setting the >>>> register_globals to ON issue!! I have refrained from doing so and my > code >>>> is running great with the $_GET. >>>> >>>> I am having NO trouble passing my "single" variable to the next page >>>> using.. >>>> >>>> echo "<A href=\"char_edit_form.php?charid=$charid\">Edit</A>"; >>>> >>>> as when the next page that load actually shows the character info, so >>>> basically you can see you are dealing with the correct record. >>>> >>>> NOW............. >>>> >>>> I want to pass two variables to a delete page. The charid and the char >>>> name. Here is what I have but it will only pass the 1st variable > ?charid >>>> echo "<A href=\"delete_char.php?charid=$charid >>>> ?char=".$myrow["char_name"]."\">Delete</A>"; >>> The first one is preceded by a ? >>> >>> Subsequent ones are with an '&'. >>> >>> See http://en.wikipedia.org/wiki/Query_string >>> >>> -- >>> Postgresql & php tutorials >>> http://www.designmagick.com/ > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
