php - Easier way for button information submits (secure) -


when using button submit information prepared want add title button, "value" form :

<form action="" method="post"> <input type="submit" name="man" value="man"> </form> 

with php code :

if (isset($_post['man'])) {      // check connection     if ($conn->connect_error) {         die("connection failed: " . $conn->connect_error);     }       $sql = "      update users      set gender = ?      username = ?  ";   $stmt = $mysqli->prepare($sql); $stmt->bind_param('ss', $_post['man'], $_session['username']);  $ok = $stmt->execute();      if ($ok == true) {         echo "<font color='#00cc00'>your gender has been updated.</font><p>";     } else {         echo "error: " .$stmt->error;     } } 

this code, many people using (normal easy code prepared statements) there 1 mistake... if change value of man eg. lol , gender in database set "lol" because value "lol"... noticed problem in many websites , codes here, , way fix this, pre-define $_post... check answer

you need whitelist allowed values in array

if (isset($_post['man'])) {  $allowed_values=array("man","women");  if(!in_array($_post['man'],$allowed_values)){ echo"error message"; die(); }      // check connection     if ($conn->connect_error) {         die("connection failed: " . $conn->connect_error);     }       $sql = "      update users      set gender = ?      username = ?  ";   $stmt = $mysqli->prepare($sql); $stmt->bind_param('ss', $_post['man'], $_session['username']);  $ok = $stmt->execute();      if ($ok == true) {         echo "<font color='#00cc00'>your gender has been updated.</font><p>";     } else {         echo "error: " .$stmt->error;     } } 

Comments

Popular posts from this blog

Payment information shows nothing in one page checkout page magento -

tcpdump - How to check if server received packet (acknowledged) -