Hi all, I am new to PHP

Do I need to sanitize hidden data values in a form before carrying out the query on MySQL db.

If so can someone assist me in the correct format


The category_id is an INT and the make is a String.

$category_id=$_POST;
$make=$_POST;

Also do I need to sanitize the query also

$result = mysql_query("SELECT * FROM products WHERE products_make ='$make'");

If you require any additional ifo please let me know.

Thanks in advance

David

In future please use code tags as this is not your first post. Also the following code should do the trick:

$category_id=mysql_real_escape_string(stripslashes($_POST['category_id']));
$make=mysql_real_escape_string(stripslashes($_POST['make']));
$result = mysql_query("SELECT * FROM products WHERE products_make ='$make'") or die(mysql_error());
//or
$resultb = mysql_query("SELECT * FROM products WHERE products_make ='$make' AND id ='$category_id'") or die(mysql_error());

Hi
Thanks for the information
working fine

Thanks for the heads up on the

****

rule and in the future I will add it to any further posts.

You mentioned my previous post which is not resolved, any ideas for a solution.

Thanks again

David

In future please use code tags as this is not your first post. Also the following code should do the trick:

$category_id=mysql_real_escape_string(stripslashes($_POST['category_id']));
$make=mysql_real_escape_string(stripslashes($_POST['make']));
$result = mysql_query("SELECT * FROM products WHERE products_make ='$make'") or die(mysql_error());
//or
$resultb = mysql_query("SELECT * FROM products WHERE products_make ='$make' AND id ='$category_id'") or die(mysql_error());

You mentioned my previous post which is not resolved, any ideas for a solution.

What's the problem or is this solved?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.