its the first time i m trying to secure what user ender in form field..so please be gentle with me
Lets say that i got a simple form...
Code: Select all
$test='<form action="" method="post" name="upl_form">
<select name="categoryboth">
<option value="">Pls Select One Option Of This Field</option>
'.$photo_category_list.'
</select>
'.$error_cat.'
<input name="submit" type="submit" value="Submit" />';Code: Select all
//Building Category
$photo_category_list = "";
$allowed_category = array();
$result = mysql_query( "SELECT category_id,category_name FROM gallery_category ORDER BY category_name" );
while( $row = mysql_fetch_array( $result ) )
{
$photo_category_list .= '<option value="'.$row[0].'|'.$row[1].'" '.($row[0].'|'.$row[1]== $_POST["categoryboth"]? "selected=\"selected\"":"").'>'.$row[1].'</option>';
$allowed_category[]= $row[0].'|'.$row[1] ;
}
mysql_free_result( $result );Code: Select all
<option value="">Pls Select One Option Of This Field</option>
<option value="2|EuroDance" >EuroDance</option>
<option value="7|Hip-Hop" >Hip-Hop</option>
<option value="1|Italo" >Italo</option>OK now the validation part...
Code: Select all
$categoryboth=$_POST['categoryboth'];
$error_msg='';
$categorybothA=(is_array($allowed_category) && !in_array($categoryboth,$allowed_category) ? true : false);
$error_cat=(isset($categoryboth) && $categoryboth=="" && $categorybothA==true ? '<font color="red"> Error in <strong>Category</strong></font>' : " " );
$error_msg=(isset($categoryboth) && $categoryboth=="" && $categorybothA==true ? $error_msg+1 : $error_msg ) ;Code: Select all
if ($error_msg!='') ///<<<<<<<<<<<<<<<<<<< E r r o r s Display Form Again
{
redisplay form
}
else
{
// Insert values in my DB
$query = "INSERT INTO database('categoryboth', ....etc....) VALUES ('my_quote($categoryboth)', ....etc...) ";
$result = mysql_query($query);
if (!$result)
{
echo "<br>Error with query is ".mysql_error();
}
else
{
echo " CONGRATULATION !!!!!......etc........";
}
}Code: Select all
function my_quote( $value )
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes( $value );
}
//check if this function exists
if( function_exists( "mysql_real_escape_string" ) )
{
$value = mysql_real_escape_string( $value );
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes( $value );
}
return $value;
}My validation is safe ??
Thanks.....