Posted by Jerry Stuckle on 10/12/38 11:39

Geoff Berrow wrote:
> Message-ID: <db2dnQWwkpylNnvenZ2dnUVZ_tadnZ2d@comcast.com> from Jerry
> Stuckle contained the following:
>
>
>>>Name all the boxes 'del[]' When posted the items to be deleted will be
>>>in an array and you can loop through it and delete them.
>>>
>>
>>Geoff,
>
>
>>And what happens if I come along and post a form back to your page with:
>>
>> <input type ='checkbox' name='del[]' value="1 OR 42=42">
>>
>>ALWAYS validate incoming data - even if it's from a checkbox!
>
>
> Jerry...you're not thinking this through. The person already has
> permission to delete the data.
>

Geoff,

Oh, I'm thinking this through all right.

The case I cited would delete everything in the table. Does the person
have THAT right?


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

• Next in forum: Reentrant POST hangs the session
• Prev in forum: Re: Return bool from query
• Thread view: Re: Listing table data with an option to delete each individual item.

[Reply to this message]