on 3/30/02 6:33 PM, wesley grubbs:. at [EMAIL PROTECTED] appended the
following bits to my mbox:
Advertising
> foreach($_POST["del"] as $val) {
>
> $sql = "DELETE FROM $tablename WHERE id = $val";
Be very careful with this. If a user spoofs the form and adds the value for
del like this:
<input type="checkbox" name="del[]" value="2 OR 1=1">
Would make the SQL statement:
DELETE FROM table WHERE id=2 OR 1=1
Which would, of course, delete all records in the table.
To remedy that, you could quote the value in the SQL statement and pass the
addslashed $val, like this:
$sql = "DELETE FROM $tablename WHERE id='" . addslashes($val) . "'";
That is a lot harder to get around (though perhaps still possible).
Also...
on 3/30/02 8:31 PM, Hugh Bothwell at [EMAIL PROTECTED] appended the
following bits to my mbox:
> // NOTE: this assumes that 0 is never a valid id; I just
> // stuck it in to make the comma-delimiting come out right
> $query = "DELETE FROM tablename WHERE id IN ( 0";
>
> foreach($_POST["del"] as $val)
> $query .= ', '.$val;
>
> $query .= ' )';
You could use implode for things like this, i.e.,
$sql = "DELETE FROM $tablename WHERE id IN ('" .
implode("','", addslashes($_POST['del'])) . "')";
That would produce something like:
DELETE FROM table WHERE id IN ('3','4','123');
Hope that helps.
Sincerely,
Paul Burney
<http://paulburney.com/>
<?php
while ($self != "asleep") {
$sheep_count++;
}
?>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
