Posted by C.W.Holeman II on 05/12/05 05:43

Leif Neland wrote:
> "C.W.Holeman II" <cwhii_googlespam@yahoo.com> skrev i en meddelelse
> news:1182u7bm8bnue98@corp.supernews.com...
>> _REQUEST['xxx[abc]']
>> _REQUEST['xxx[xyz]']
>> ^^^
>>
>> I would like to grab all values of _REQUEST for the array xxx where
>> the index will be a value like abc or xyz. Then I would like to write all
>> of these values to a MySQL table.
>>
>> Is this a common enough task that there are established techniques for
>> doing
>> this?
>
> It might be, but don't make the mistake of simply building a query based
> on the fields in the form, and especially don't take the tablename as a
> parameter.
>
> If you do, you inadvertenly create a tool for a hacker to manipulate the
> entire database.
>
> The secure way of processing forms is to only accept the fields you are
> looking for, not every field in the form.

Like the NetFlix queue I want to let a user change the priority of the
existing items in the queue.

--
C.W.Holeman II
cwhii@Julian5Locals5.com remove the fives
http://free.ProHosting.com/cwhii

• Next in forum: Re: OT: why do they charge for extra db ?(Was: One database or many ?)
• Prev in forum: Re: Ensuring records are written to the MySQL database
• Thread view: Re: Query string array to MySQL table.

[Reply to this message]