mekha Posted September 7, 2012 Share Posted September 7, 2012 hi guys,i have this link:xxxxxxx.com/form.php?act=addhow do i protect the $_GET["act"]; ?i tryed:$mysqli->real_escape_string($_GET["act"]);and when i write:xxxxxxx.com/form.php?act=add""""there is problems in the page....i tryed too:mysql_real_escape_string($_GET["act"]);and there is php errors...variables undefined....how can i protect $_GET["act"]? Link to comment Share on other sites More sharing options...
Ingolme Posted September 7, 2012 Share Posted September 7, 2012 $_GET['act'] is undefined if there is no "act" in the URL.Check that it's set using isset() Link to comment Share on other sites More sharing options...
mekha Posted September 7, 2012 Author Share Posted September 7, 2012 there is act in the url....but adter:act=addif i add a quote ("),like this:act=add'its not work!...i did the check (isset) Link to comment Share on other sites More sharing options...
Ingolme Posted September 7, 2012 Share Posted September 7, 2012 I don't have enough information to determine the problem. Are you getting any error messages? Link to comment Share on other sites More sharing options...
mekha Posted September 7, 2012 Author Share Posted September 7, 2012 yes!....when i write ( ' ) after the urlli get undefined variables.... because off: act=add moved to be: act=add'so ... add' .. is undefined Link to comment Share on other sites More sharing options...
justsomeguy Posted September 7, 2012 Share Posted September 7, 2012 "add'" is not a variable, it is a value. $_GET['act'] is the variable. Maybe you should show your code and paste the error message. Link to comment Share on other sites More sharing options...
mekha Posted September 7, 2012 Author Share Posted September 7, 2012 this is my code: $act = array('add', 'edit', 'delete');if (isset($_GET['act']) && (in_array($_GET['act'], $act))){ $act = $mysqli->real_escape_string($_GET["act"]);} and the problem is : ( ! ) Notice: Undefined variable: foldpath in C:\wamp\www\ishort\folders\form.php on line 96 this problem is only when i write the url: form.php?act=add'but if: form.php?act=addthere is no problems Link to comment Share on other sites More sharing options...
thescientist Posted September 7, 2012 Share Posted September 7, 2012 don't see where foldpath comes from, but I would not put the extra quote after add then. seems simple enough. Link to comment Share on other sites More sharing options...
mekha Posted September 7, 2012 Author Share Posted September 7, 2012 if($act=="edit"){$folderid = (int)$_GET["id"];$sql2 = getfolderbyId();if ($result2 = $mysqli->prepare($sql2)){$result2->bind_param("i",$folderid);$result2->execute();$result2->store_result();$rowsZ2 = $result2->num_rows;}if($rowsZ2>0){$row2 = fetch($result2);}$foldername = $row2[0]["fold_name"];$foldpath = $row2[0]["fold_path"];$foldpic = $row2[0]["fold_pic"];}if($act=="add"){$foldername="";$foldpath="";$foldpic="";} Link to comment Share on other sites More sharing options...
mekha Posted September 7, 2012 Author Share Posted September 7, 2012 but if someone else (moderator for example), in mistake added the extra quote ?....i need to protect this :S...for example:if the $_GET us a number...i use (int) before...and the extra quote has no effects on the url and the php codes...so i need to protect strings to Link to comment Share on other sites More sharing options...
Ingolme Posted September 7, 2012 Share Posted September 7, 2012 Using bind_param() already protects all data types. But if you're using an ordinary query, real_escape_string works. The problem is that you need to define "foldpath" outside of any if() conditions. Give it a default value. Link to comment Share on other sites More sharing options...
justsomeguy Posted September 7, 2012 Share Posted September 7, 2012 It's probably more useful to give $act a default value. You set $act to be an array first, then check if $_GET['act'] is in that array, then set $act to be the value of $_GET['act'] if it's in the array. Use a different name for the array, and set $act to a default value like an empty string. This problem has nothing to do with quotes, the problem is that the value in $_GET['act'] is not in the array and your code fails to account for the case when $_GET['act'] is not one of the values in the array. You would see the same thing if $_GET['act'] was set to any other value not in the array, this doesn't only happen with quotes. You need to set a default value for $act and change your code to account for the case where $_GET['act'] is not in the list of accepted values. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.