php - Easier way for button information submits (secure) -
when using button submit information prepared want add title button, "value" form :
<form action="" method="post"> <input type="submit" name="man" value="man"> </form>
with php code :
if (isset($_post['man'])) { // check connection if ($conn->connect_error) { die("connection failed: " . $conn->connect_error); } $sql = " update users set gender = ? username = ? "; $stmt = $mysqli->prepare($sql); $stmt->bind_param('ss', $_post['man'], $_session['username']); $ok = $stmt->execute(); if ($ok == true) { echo "<font color='#00cc00'>your gender has been updated.</font><p>"; } else { echo "error: " .$stmt->error; } }
this code, many people using (normal easy code prepared statements) there 1 mistake... if change value of man eg. lol , gender in database set "lol" because value "lol"... noticed problem in many websites , codes here, , way fix this, pre-define $_post... check answer
you need whitelist allowed values in array
if (isset($_post['man'])) { $allowed_values=array("man","women"); if(!in_array($_post['man'],$allowed_values)){ echo"error message"; die(); } // check connection if ($conn->connect_error) { die("connection failed: " . $conn->connect_error); } $sql = " update users set gender = ? username = ? "; $stmt = $mysqli->prepare($sql); $stmt->bind_param('ss', $_post['man'], $_session['username']); $ok = $stmt->execute(); if ($ok == true) { echo "<font color='#00cc00'>your gender has been updated.</font><p>"; } else { echo "error: " .$stmt->error; } }
Comments
Post a Comment