On Mon, 17 Jun 2002, Digital Wokan wrote:
> All of which brings up the fact that you should never just trust all the
> values being submitted to a page. That's how SQL insertion attacks succeed.
>
> On Thursday 20 June 2002 13:22, Scott Marlowe wrote:
> > You have to process the values yourself to make sure it's right.
> >
> > Just do something like this:
> >
> > if ($driving_required == "1") $driving_required = 't';
> > else $driving_required = 'f';
> >
> > Then use it in your update / insert statement as usual.
> >
> > On 20 Jun 2002, Jeff Self wrote:
> > > That only works if I leave the checkboxes checked. If I remove the
> > > check, I get the following error:
> > >
> > > Warning: pg_exec() query failed: ERROR: Bad boolean external
> > > representation ''
> > > in /var/www/nngov/admin/jobpostresults.php on line 66
> > >
> > > On Thu, 2002-06-20 at 13:39, Surojit Niyogi wrote:
> > > > Hi Jeff,
> > > >
> > > > Set the value parameter in the input tag
> > > >
> > > > <input type="checkbox"
> > > > name="driving_required" CHECKED value='1'>
> > > >
> > > > That should work I believe.
> > > >
> > > > -Surojit
I just looked it up, and the value attribute is optional EXCEPT when the
type is either radio or checkbox. Therefore you must specify some sort of
value; it could even be 'on' if you want ;)
See here:
http://www.w3.org/TR/html4/interact/forms.html#h-17.4
Either way, as stated above, all values should be checked in a production
state, but to manipulate your $_POST or $_GET arrays and turn them into
sql query strings, it is sometimes necessary to individually search and
replace values that do not work with sql. In other words, html form
values were not meant to be sent to database back ends in the form of sql,
hence we have php to change them for us :) Hooray for that!
-Chadwick
