| Jason Wong 2004-08-27, 8:57 am |
| On Friday 27 August 2004 15:31, Ryan Schefke wrote:
First of all:
Using unsanitised data from forms and links is a VERY bad thing.
> <option value="<?PHP echo 'giftprint.php?passid='.$passid.'&sort=WHERE
> thankyou='Not Sent' ORDER BY cash ASC';?>">Show
>
> Thank You Notes "Not Sent"</option>
Two problems here:
1) URLs needs to be urlencode() appropriately
2) But your major problem is you're passing too much superfluous data
(technically known as crap).
Breaking it down, you want to pass 4 pieces of data:
1) passid
2) thankyou status
3) sort column
4) sort direction
NB depending on what you're doing (3) & (4) may not be needed (eg if they're
supposed to be hard-coded defaults that are not user selectable).
Now assuming (3) & (4) aren't needed, you would construct your URL something
like this:
giftprint.php?passid=$passid&status=$status
> Then, the below query is run:
>
> $query = "SELECT name, event, description, cash, action, thankyou
>
> FROM gifts WHERE customerID='$passid' $sort";
>
> My problem is with the 'Not Sent'. I need the backslashes for the php
> statement but the sql query can't handle it and the jump box gives me an
> error.
No, what you should do is assign various codes for the different status, eg
1 - not sent
2 - sent
3 - unknown
Then when you receive the data you sanitise and verify that $passid and
$status are valid.
So for $status it has to be one of 1, 2, or 3.
Then finally you can construct your query.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
You are a bundle of energy, always on the go.
*/
|