On 5/25/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
As you said: Filtering. My next queston.I have small form to activate/deactivate member's account. <form method=post action=members.php> <input type=hidden name=username value=<?= $Usename ?> <input type=hidden name=status value=<?= $Status ?> <input type=image name=action value=change src=images/status_live.gif border=0> </form> and once adminisrtrator clicks on button: if(isset($_POST['action'])) { $Username = $_POST['Username']; $action = ''; switch($action) { case 'change': mysql_query("UPDATE members SET status='live' WHERE Username = '".$Username."'"); break; case 'edit': // ... break; } } Do I have to filter $Username with mysql_real_escape_string() function even if $Username will not be stored in DB and I use it in WHERE part? If no - how to filter it? Thanks -afan
Yes, you're sending it into the DB which means it is a command that needs to be escaped. All MySQL commands need to be escaped. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
