Quote:
Originally Posted by doubledee
But technically that is true of anything passed through a Form, right?
|
Yes it is. Thats why you need to do your checks at your end.
Quote:
Originally Posted by doubledee
Since I am just passing back a listing of all PM ID's to the same script so it knows which Messages need to be updated, and since the "pmID" is an Integer, then as long as I sanitize things by casting to an Integer, and using Prepared Statements - which is actually the only way I know how to do database stuff - then I assume that I will be okay from a security standpoint?!
|
Yes. Just remember in your SQL where clause don't just do where pmid='<the PMs ID>' also do a members user id too so that they can only delete their own messages - eg:
delete from messages where pmID='$pmID'
and userID='$userID'
That would mean that the user can only delete their own messages / mark as read etc. It'll be slightly different using prepared statements but that should give you an idea of what I'm saying.
Also, not sure if you do this but you're best off constructing one long SQL statement EG:
delete from messages where (pmID='52' or pmID='51' or pmID='50') and userId='$userID'
That will let you do the entire thing in one SQL query rather than 30 or 40 seperate queries. To make it (very basic - you'll need to do your own checks)..
PHP Code:
foreach ($_POST['testArray'] as $Key => $Value)
{
$Array[] = "pmID='$Value'";
}
$IDs = implode(' or ', $Array); // "pmID='52' or pmID='51' or pmID='50'"
$SQL = "delete from messages where ($IDs) and userId='$userID'"
Again you'll need to change that for prepared statements but it should point you in the right direction.