although you should be filtering input in order to
avoid sql injection cross-site-scripting and other related nasties
you shouldn't be using htmlentities() in order to protect
against sql injection.

filter the incoming data, e.g.:

$a = intval($_GET['a']); // you want only integers
$a = floatval($_GET['a']); // you want only floats
$a = strip_text($_GET['a']); // you do want html

especially go read this page and use the filter extension if you can:
        http://nl2.php.net/filter

and then escape your data properly according to the context it
is being used, e.g.:


mysql_real_escape_string(); // for using data in a mysql query
htmlentities(); // for using data in a webpage



itoctopus wrote:
> Since you're new to this, always be sure to clean up the output you get from
> $_GET or $_POST to avoid sql injection.
> 
> Fore example: $search_value = htmlentities($_GET['search_value'],
> ENT_QUOTES);
> If you're casting to something other than a string (such as int) than you're
> safe and you don't have to use htmlentities.
> 
> --
> itoctopus - http://www.itoctopus.com
> ""Jeff"" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
>> Thank you Chris!
>>
>> "Chris" <[EMAIL PROTECTED]> wrote in message
>> news:[EMAIL PROTECTED]
>>> Jeff wrote:
>>>> I want to thank you all for clearing me up on setting the
>>>> register_globals to ON issue!! I have refrained from doing so and my
> code
>>>> is running great with the $_GET.
>>>>
>>>> I am having NO trouble passing my "single" variable to the next page
>>>> using..
>>>>
>>>> echo "<A href=\"char_edit_form.php?charid=$charid\">Edit</A>";
>>>>
>>>> as when the next page that load actually shows the character info, so
>>>> basically you can see you are dealing with the correct record.
>>>>
>>>> NOW.............
>>>>
>>>> I want to pass two variables to a delete page. The charid and the char
>>>> name. Here is what I have but it will only pass the 1st variable
> ?charid
>>>> echo "<A href=\"delete_char.php?charid=$charid
>>>> ?char=".$myrow["char_name"]."\">Delete</A>";
>>> The first one is preceded by a ?
>>>
>>> Subsequent ones are with an '&'.
>>>
>>> See http://en.wikipedia.org/wiki/Query_string
>>>
>>> --
>>> Postgresql & php tutorials
>>> http://www.designmagick.com/
> 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to