On Friday 27 August 2004 15:31, Ryan Schefke wrote: First of all:
Using unsanitised data from forms and links is a VERY bad thing. > <option value="<?PHP echo 'giftprint.php?passid='.$passid.'&sort=WHERE > thankyou=\'Not Sent\' ORDER BY cash ASC';?>">Show > > Thank You Notes "Not Sent"</option> Two problems here: 1) URLs needs to be urlencode() appropriately 2) But your major problem is you're passing too much superfluous data (technically known as crap). Breaking it down, you want to pass 4 pieces of data: 1) passid 2) thankyou status 3) sort column 4) sort direction NB depending on what you're doing (3) & (4) may not be needed (eg if they're supposed to be hard-coded defaults that are not user selectable). Now assuming (3) & (4) aren't needed, you would construct your URL something like this: giftprint.php?passid=$passid&status=$status > Then, the below query is run: > > $query = "SELECT name, event, description, cash, action, thankyou > > FROM gifts WHERE customerID='$passid' $sort"; > > My problem is with the \'Not Sent\'. I need the backslashes for the php > statement but the sql query can't handle it and the jump box gives me an > error. No, what you should do is assign various codes for the different status, eg 1 - not sent 2 - sent 3 - unknown Then when you receive the data you sanitise and verify that $passid and $status are valid. So for $status it has to be one of 1, 2, or 3. Then finally you can construct your query. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ /* You are a bundle of energy, always on the go. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
