Re: [PHP] backslashes

On Friday 27 August 2004 15:31, Ryan Schefke wrote:

First of all:

Using unsanitised data from forms and links is a VERY bad thing.

> <option value="<?PHP echo 'giftprint.php?passid='.$passid.'&sort=WHERE
> thankyou='Not Sent' ORDER BY cash ASC';?>">Show
>
>             Thank You Notes "Not Sent"</option>

Two problems here:

1) URLs needs to be urlencode() appropriately
2) But your major problem is you're passing too much superfluous data
(technically known as crap).

Breaking it down, you want to pass 4 pieces of data:

1) passid
2) thankyou status
3) sort column
4) sort direction

NB depending on what you're doing (3) & (4) may not be needed (eg if they're
supposed to be hard-coded defaults that are not user selectable).

Now assuming (3) & (4) aren't needed, you would construct your URL something
like this:

giftprint.php?passid=$passid&status=$status

> Then, the below query is run:
>
> $query = "SELECT name, event, description, cash, action, thankyou
>
> FROM gifts WHERE customerID='$passid' $sort";
>
> My problem is with the 'Not Sent'.  I need the backslashes for the php
> statement but the sql query can't handle it and the jump box gives me an
> error.

No, what you should do is assign various codes for the different status, eg

1 - not sent
2 - sent
3 - unknown

Then when you receive the data you sanitise and verify that $passid and
$status are valid.

So for $status it has to be one of 1, 2, or 3.

Then finally you can construct your query.

--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
/*
You are a bundle of energy, always on the go.
*/