Sanitize PHP hidden form values

Question

davidjennings 0 Junior Poster in Training

15 Years Ago

Hi all, I am new to PHP

Do I need to sanitize hidden data values in a form before carrying out the query on MySQL db.

If so can someone assist me in the correct format

The category_id is an INT and the make is a String.

$category_id=$_POST;
$make=$_POST;

Also do I need to sanitize the query also

$result = mysql_query("SELECT * FROM products WHERE products_make ='$make'");

If you require any additional ifo please let me know.

Thanks in advance

David

php

Edited 15 Years Ago by davidjennings because: n/a

2 Contributors
4 Replies
150 Views
7 Hours Discussion Span
Latest Post 15 Years Ago Latest Post by davidjennings

cwarn23 387 Occupation: Genius

15 Years Ago

In future please use code tags as this is not your first post. Also the following code should do the trick:

$category_id=mysql_real_escape_string(stripslashes($_POST['category_id']));
$make=mysql_real_escape_string(stripslashes($_POST['make']));
$result = mysql_query("SELECT * FROM products WHERE products_make ='$make'") or die(mysql_error());
//or
$resultb = mysql_query("SELECT * FROM products WHERE products_make ='$make' AND id ='$category_id'") or die(mysql_error());

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

davidjennings 0 Junior Poster in Training · Answer 1 · 2009-09-11T16:13:48+00:00

Hi
Thanks for the information
working fine

Thanks for the heads up on the

****

rule and in the future I will add it to any further posts.

You mentioned my previous post which is not resolved, any ideas for a solution.

Thanks again

David

In future please use code tags as this is not your first post. Also the following code should do the trick:

$category_id=mysql_real_escape_string(stripslashes($_POST['category_id']));
$make=mysql_real_escape_string(stripslashes($_POST['make']));
$result = mysql_query("SELECT * FROM products WHERE products_make ='$make'") or die(mysql_error());
//or
$resultb = mysql_query("SELECT * FROM products WHERE products_make ='$make' AND id ='$category_id'") or die(mysql_error());

cwarn23 387 Occupation: Genius Team Colleague Featured Poster · Answer 2 · 2009-09-11T16:18:42+00:00

You mentioned my previous post which is not resolved, any ideas for a solution.

What's the problem or is this solved?

davidjennings 0 Junior Poster in Training · Answer 3 · 2009-09-11T16:41:34+00:00

Hi
This thread is solved and I will mark it accordingly

But do you have time to look at my previous thread

www.daniweb.co./forums/thread222004.html

Thanks in advance.

David