on 3/30/02 6:33 PM, wesley grubbs:. at [EMAIL PROTECTED] appended the following bits to my mbox:
> foreach($_POST["del"] as $val) { > > $sql = "DELETE FROM $tablename WHERE id = $val"; Be very careful with this. If a user spoofs the form and adds the value for del like this: <input type="checkbox" name="del[]" value="2 OR 1=1"> Would make the SQL statement: DELETE FROM table WHERE id=2 OR 1=1 Which would, of course, delete all records in the table. To remedy that, you could quote the value in the SQL statement and pass the addslashed $val, like this: $sql = "DELETE FROM $tablename WHERE id='" . addslashes($val) . "'"; That is a lot harder to get around (though perhaps still possible). Also... on 3/30/02 8:31 PM, Hugh Bothwell at [EMAIL PROTECTED] appended the following bits to my mbox: > // NOTE: this assumes that 0 is never a valid id; I just > // stuck it in to make the comma-delimiting come out right > $query = "DELETE FROM tablename WHERE id IN ( 0"; > > foreach($_POST["del"] as $val) > $query .= ', '.$val; > > $query .= ' )'; You could use implode for things like this, i.e., $sql = "DELETE FROM $tablename WHERE id IN ('" . implode("','", addslashes($_POST['del'])) . "')"; That would produce something like: DELETE FROM table WHERE id IN ('3','4','123'); Hope that helps. Sincerely, Paul Burney <http://paulburney.com/> <?php while ($self != "asleep") { $sheep_count++; } ?> -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php