Quote:
Originally Posted by AndrewGSW
PHP Code:
if ($_POST['selectAll'] == 1) {
There is nothing wrong with this I suppose  , I just have my own personal preferences. You asked the question..
I typically might use code like the following to check and perform a cast:
PHP Code:
if (isset($_POST['myNumber']) && is_numeric($_POST['myNumber'])) {
$theNumber = intval($_POST['myNumber'], 10);
} else {
echo "Doh!";
}
The main thing is to check, and sanitise, post-data (in an appropriate way) and never make assumptions about the type of value you have been sent.
Once I've checked and sanitised the post data I move them into standard $variables. I know that they are now clean and I will drop any references to $_POST for the rest of the code.
Of course, the burden is reduced when using prepared statements, but we still want to prevent errors on the page. Errors that might occur if we assume that the value is of a certain type, or, similarly, if we try to INSERT a wrong value-type into our database. |
Okay, so then I probably need to add something here...
In my Form, a User checks the Private Messages that he/she wants to update, and my Form submits an array like this...
PHP Code:
<input id='"
. str2htmlentities($pmID)
. "' name=selectedMsgArray["
. str2htmlentities($pmID)
. "] type='checkbox' value=1 />
When my form is submitted, I assign the array to a variable like this...
PHP Code:
$updateMsgArray = $_POST['selectedMsgArray'];
Then I have my update query like this...
PHP Code:
foreach($updateMsgArray as $msgID => $msgValue){
// Build query.
$q1 = "UPDATE private_msg_recipient
SET read_on = NULL,
updated_on = NOW()
WHERE member_id_to = ?
AND message_id = ?";
// Prepare statement.
$stmt1 = mysqli_prepare($dbc, $q1);
// Bind variables to query.
mysqli_stmt_bind_param($stmt1, 'ii', $sessMemberID, $msgID);
I suppose a hacker could mess with the keys in my $updateMsgArray and thus cuase issues with the query above...
So how would I check the keys in this array and ensure they are legitimate?! 
Thanks,
Debbie