View Single Post
 
Old October 14th, 2010, 02:15 AM
bopjo1 bopjo1 is offline
Authorized User
 
Join Date: Sep 2010
Posts: 20
Thanks: 0
Thanked 2 Times in 2 Posts
Default

Nice work DMatt! I changed your code a little bit in cms_transact to pass values to mysql_real_escape_string() like this:

Code:
$title = (isset($_POST['title'])) ? mysql_real_escape_string($_POST['title'], $db) : '';
$article_text = (isset($_POST['article_text'])) ? mysql_real_escape_string($_POST['article_text'], $db) : '';
$user_id = (isset($_POST['user_id'])) ? $_POST['user_id'] : '';
This is because it's very dangerous to let users enter outside data into the datasbase without cleaning first. $user_id doesn't need it because it's value is generated internally.

Last edited by bopjo1; October 14th, 2010 at 02:19 AM..