|
|
Posted by Geoff Berrow on 12/20/04 11:44
Message-ID: <4KednVLqV7JkS6jZnZ2dnUVZ_sydnZ2d@comcast.com> from JackM
contained the following:
>> A little bit slower probably, but at least the $id[] and the corresponding
>> $ids string contains only numbers.
>
>Just a question on this way to further my own learning process. Does the
>fact that the $_POST['subm'] array is dynamically done on the previous
>page prevent one from using it for injection? It's not something that
>requires a user to fill in any text info for. It's only a checkbox that
>gets checked.
yes, Erwin is right, user supplied data should ALWAYS be checked before
being used in a query.
There is nothing stopping me downloading your form with checkboxes and
then editing the html to make them send different values. Erwins
solution checks the 'type' of data that is being returned. Other
methods may check that the data is within a range of values that is
acceptable. (for instance you may only want the user to be able to edit
a certain range of ids)
if your id was not an integer you could do this:
foreach($_POST["subm"] as $oneNum){
$id[] = mysql_real_escape_string($oneNum);
}
In fact, I can't immediately see why you should not do
$ids=mysql_real_escape_string(implode(",",$_POST['subm']));
as in my original solution.
Anyone see a problem with that?
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Navigation:
[Reply to this message]
|