Ninv

[DEVILofDARKNESS]

I also want to let people Bèta test my site, I've worked hard on it, and I like it (doesn't mean you have to like it).  So I want to make it safe, easy to use

 

I want to let people test if everything works like you should expect...

only at the register page you should be sure your names start with a capital, because the script doesn't give any error yet and you can't move on to the next page

 

I also know that the centered text isn't beautifull.

 

 

ninv

(test account username:IRA  pass: IRA)

 

for moderators: http://www.ninv.be/phpfreaks.txt is to show I'm the owner

[xcoderx]

Their went something wrong... "; switch($id){ case 1: echo "You forgot to choose a target and/or a region from where you want to attack."; break; case 2: echo "You didn't make step 1,2 and 4"; break; case 3: echo "You don't have that many rockets!"; break; case 4: echo "You didn't choose a weapon and/or an ammount"; break; default: echo "Their was an unknown problem..."; break; } echo "

return"; ?>

[darkfreaks]

abit of advice use mysql_real_escape_string() and PDO in your application. if your not sure read up on how to use it. this will weed out all SQL injection you may have now 

[DEVILofDARKNESS]

Yes I didn't do anything against sql-injections yet, that should be on my list!

if I do $_GET['id'] and then a switch($id)  is that safe enough or should I htmlspecialchars the variable?

[trq]

if I do $_GET['id'] and then a switch($id)  is that safe enough

 

Sorry, but that makes no sense.

[DEVILofDARKNESS]

Why?

[darkfreaks]

use some PDO in your SQL queries this will escape SQL injection 

 

Example:

<?php

$db = new PDO('mysql:host=localhost;dbname=school', 'username', 'password');

$stmt = $db->prepare('INSERT INTO Students (name) VALUES (:name)');

try {
        $stmt->execute(array('name' => $_POST['student_name']));
        echo 'Success.';
}
catch(PDOException $e) {
        echo 'Insertion failed. Please try again.';
}
?>

[DEVILofDARKNESS]

I will google myself what PDO is, but I'm not familiar with the $db->prepare : is it the same as mysql_query ???

[darkfreaks]

no it is not , i suggest you google and read up on it and then apply it to your application.

[DEVILofDARKNESS]

How is it called? because if I do php -> or php $db->  google just drops the -> because it's not alphanumeric.

[darkfreaks]

code please otherwise we dont know what you are doing

[DEVILofDARKNESS]

Nono I'm not using any code,

I asked what '->' means and you said Google it.

but if I fill in the searshbar: 'php ->'

Google makes it: 'php' without the '->'

 

So my question was: Is there a special name for '->'?

[darkfreaks]

what are you trying to do?

 

 

 

[DEVILofDARKNESS]

I want to know what

$db->prepare

does

[darkfreaks]

it fetches the query and prepares it thus stripping it of SQL injection then executes it

[Coreye]

How is it called? because if I do php -> or php $db->  google just drops the -> because it's not alphanumeric.

 

http://www.phpfreaks.com/forums/index.php/topic,95867.0.html.

[trq]

Why not look up pdo in the manual, its as easy as typing http://php.net/functionname.

 

http://php.net/pdo