Posted by Floortje on 01/22/07 18:21

Floortje schreef:
> Ruben van Engelenburg schreef:
>> marce1972 wrote:
>>
>>> Do I rite this on my php code as you wrote it?
>>>
>>> $nom=$_POST['numero'];
>>> $sql="DELETE FROM canciones WHERE idcancion='$nom';";
>>> mysql_query($sql) or die ("problema con borrado");
>>> $arch=$_POST['ref'];
>>> @unlink($arch);
>>>
>>> Is this correct
>>> Thanks I'll download the other option webdav too to see if it works
>>
>> No, as Arjen already pointed out: check the input. This means you
>> should check the value of $_POST['ref'], because if you don't the user
>> will be able to delete any file the webserver has writing rights to.
>
> One way to do it:
> check if page is listed in the db
> $sql = "SELECT id,page FROM $table WHERE id = '".intval($_POST['id'])."'";
>
> if that query gives one result then execute your code

And I mean execute your code with the results from the query :-) not
from the user input.


--
Arjen
http://www.hondenpage.com

• Next in forum: Re: php variable in sql string
• Prev in forum: Re: use virtual hosts to develop locally but upload throws error in source file references
• Thread view: Re: How to delete a file in my web server via php

[Reply to this message]