rubhadubh wrote:
> Thanks, I just sorted the problem using the 'name' parameter of the
> serialize object too. So the line becomes:
>
> Sortable.serialize(list.id, {name:'list');
> and
> $_POST['list']
Yeah, that works too and is probably cleaner here with sortables.
> Seems to have done the trick.
>
> WRT SQL injection attack, yes, I would normally wrap the inputs in a
> function that strips out any illegal characters - it would be
> distracting in my posted example though. Is that the sort of thing you
> had in mind?
In this case since a sortable returns a pretty defined set of things, input
manipulation is passable. Although you should never try to strip out offending
characters. Instead you should only allow legitimate characters. But that only
works in cases where the input is strictly defined. If you switch to using bind
params in your SQL then you have a solution that works in all cases. I'm not
sure about the specifics of how to do this in PHP (I'm a Perl guy) but the
concept should be basically the same.
--
Michael Peters
Developer
Plus Three, LP
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Spinoffs" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---
