|
Posted by Floortje on 01/22/07 18:19
Ruben van Engelenburg schreef:
> marce1972 wrote:
>
>> Do I rite this on my php code as you wrote it?
>>
>> $nom=$_POST['numero'];
>> $sql="DELETE FROM canciones WHERE idcancion='$nom';";
>> mysql_query($sql) or die ("problema con borrado");
>> $arch=$_POST['ref'];
>> @unlink($arch);
>>
>> Is this correct
>> Thanks I'll download the other option webdav too to see if it works
>
> No, as Arjen already pointed out: check the input. This means you should
> check the value of $_POST['ref'], because if you don't the user will be
> able to delete any file the webserver has writing rights to.
One way to do it:
check if page is listed in the db
$sql = "SELECT id,page FROM $table WHERE id = '".intval($_POST['id'])."'";
if that query gives one result then execute your code
--
Arjen
http://www.hondenpage.com
[Back to original message]
|