php - Easier way for button information submits (secure) -


when using button submit information prepared want add title button, "value" form :

<form action="" method="post"> <input type="submit" name="man" value="man"> </form>

with php code :

if (isset($_post['man'])) {      // check connection     if ($conn->connect_error) {         die("connection failed: " . $conn->connect_error);     }       $sql = "      update users      set gender = ?      username = ?  ";   $stmt = $mysqli->prepare($sql); $stmt->bind_param('ss', $_post['man'], $_session['username']);  $ok = $stmt->execute();      if ($ok == true) {         echo "<font color='#00cc00'>your gender has been updated.</font><p>";     } else {         echo "error: " .$stmt->error;     } }

this code, many people using (normal easy code prepared statements) there 1 mistake... if change value of man eg. lol , gender in database set "lol" because value "lol"... noticed problem in many websites , codes here, , way fix this, pre-define $_post... check answer

you need whitelist allowed values in array

if (isset($_post['man'])) {  $allowed_values=array("man","women");  if(!in_array($_post['man'],$allowed_values)){ echo"error message"; die(); }      // check connection     if ($conn->connect_error) {         die("connection failed: " . $conn->connect_error);     }       $sql = "      update users      set gender = ?      username = ?  ";   $stmt = $mysqli->prepare($sql); $stmt->bind_param('ss', $_post['man'], $_session['username']);  $ok = $stmt->execute();      if ($ok == true) {         echo "<font color='#00cc00'>your gender has been updated.</font><p>";     } else {         echo "error: " .$stmt->error;     } }

Comments

Post a Comment

Popular posts from this blog

javascript - AngularJS custom datepicker directive -

i make custom datepicker directive custom template. but have no idea how start building it... how include date data directive? i appreciate guide or give me advice work on more precisely. it might you! follow below steps html code sample: <label>birth date</label> <input type="text" ng-model="birthdate" date-options="dateoptions" custom-datepicker/> <hr/> <pre>birthdate = {{birthdate}}</pre> <script type="text/ng-template" id="custom-datepicker.html"> <div class="enhanced-datepicker"> <div class="proxied-field-wrap"> <input type="text" ui-date-format="yy-mm-dd" ng-model="ngmodel" ui-date="dateoptions"/> </div> <label> <button class="btn" type="button"><i class="icon-calendar"></i>
Read more

javascript - jQuery date picker - Disable dates after the selection from the first date picker -

<!doctype html> <html lang="en"> <head> <meta charset="utf-8"> <title>jquery ui datepicker - default functionality</title> <link rel="stylesheet" href="//code.jquery.com/ui/1.11.4/themes/smoothness/jquery-ui.css"> <script src="//code.jquery.com/jquery-1.10.2.js"></script> <script src="//code.jquery.com/ui/1.11.4/jquery-ui.js"></script> <link rel="stylesheet" href="/resources/demos/style.css"> <script> $(function () { $("#datepicker1").datepicker(); }); </script> <script> $(function () { $("#datepicker2").datepicker(); }); </script> </head> <body> <p>date 1: <input type="text" id="datepicker1"></p> <p>date 2: <input type="t
Read more