on 3/30/02 6:33 PM, wesley grubbs:. at [EMAIL PROTECTED] appended the
following bits to my mbox:

> foreach($_POST["del"] as $val) {
> 
> $sql = "DELETE FROM $tablename WHERE id = $val";

Be very careful with this.  If a user spoofs the form and adds the value for
del like this:

<input type="checkbox" name="del[]" value="2 OR 1=1">

Would make the SQL statement:

DELETE FROM table WHERE id=2 OR 1=1

Which would, of course, delete all records in the table.

To remedy that, you could quote the value in the SQL statement and pass the
addslashed $val, like this:

$sql = "DELETE FROM $tablename WHERE id='" . addslashes($val) . "'";

That is a lot harder to get around (though perhaps still possible).

Also...

on 3/30/02 8:31 PM, Hugh Bothwell at [EMAIL PROTECTED] appended the
following bits to my mbox:

> // NOTE: this assumes that 0 is never a valid id; I just
> // stuck it in to make the comma-delimiting come out right
> $query = "DELETE FROM tablename WHERE id IN ( 0";
> 
> foreach($_POST["del"] as $val)
>   $query .= ', '.$val;
> 
> $query .= ' )';

You could use implode for things like this, i.e.,

$sql = "DELETE FROM $tablename WHERE id IN ('" .
implode("','", addslashes($_POST['del'])) . "')";

That would produce something like:

DELETE FROM table WHERE id IN ('3','4','123');

Hope that helps.

Sincerely,

Paul Burney
<http://paulburney.com/>

<?php
    while ($self != "asleep") {
        $sheep_count++;
    }
?>


-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to