ban or unban based on get method

Forum Moderators: coopster

Message Too Old, No Replies

ban or unban based on get method

RogueDogg

10:56 pm on Jul 21, 2008 (gmt 0)

here are my 2 urls:

<?PHP echo '<a href=refsearch.php?rid='.$row['rid'].'ban=1>Ban</a>'; ?>

<?PHP echo '<a href=refsearch.php?rid='.$row['rid'].'ban=0>UnBan</a>'; ?>

Here is my statement:

$banned=$_GET['rid'];
$ban=$_GET['ban'];
if (!empty($banned)) {
$update = "UPDATE referrals set banned='$ban' WHERE rid='$banned'";
$result = mysql_query($update) or die(mysql_error());

The only part that seems to be working at this point is setting the banned status to 0, once set to 0 I click on "ban" to set it back to 1 and it's not working, it says it is based on my echo but it's not updating it to 1 in the db.

cameraman

11:03 pm on Jul 21, 2008 (gmt 0)

zero is considered empty(). If you're trying to make sure the parameter was supplied, use isset() [us2.php.net]. Check for 0 or 1 explicitly.

janharders

11:10 pm on Jul 21, 2008 (gmt 0)

is it a typo or did you miss a & or ; in
rid='.$row['rid'].'ban=

RogueDogg

11:13 pm on Jul 21, 2008 (gmt 0)

K this is the fix:

had to add & before the word ban in the url.

should have paid closer attention before posting...sorry :-)

eelixduppy

11:14 pm on Jul 21, 2008 (gmt 0)

Make sure to also check for correct input, and sanitize if needed. Since they are both integers from what I can see, you should add something like this which type-casts to an integer in the case whee its not:


$banned = (int)$_GET['rid']; 
$ban = (int)$_GET['ban'];

>> is it a typo or did you miss a & or ; in

Nice catch :)

RogueDogg

4:43 am on Jul 22, 2008 (gmt 0)

Is there a proper way to santize for other methods other than int, such as varchar or ?

eelixduppy

5:22 am on Jul 22, 2008 (gmt 0)

Yes, use mysql_real_escape_string. It's not "sanitizing" however it is escaping the data from the query, at least.