using mysql_real_escape_string

[jacko310592]

hey guys,

just wondering, is it advisable to use mysql_real_escape_string() with <select> boxes, i know the web designer will always set the values for options within select boxes, therefore there shouldn't be any danger, but then i found such js code as:

 

javascript:document.body.contentEditable='true'; document.designMode='on'; void 0

(this allows the user of any site to edit content on the users end)

 

so with something like the above, is it at all possible for a user to alter the option values within a select box and successfully submit the altered form?

 

thanks

[rwwd]

What do you mean "With Select boxes"? Any data that is sent via $_POST || $_GET you should sanitise for use BEFORE the sql query is sent, this is just a method of flow and logic & the small matter of needing a valid connection to the DB for the function to do it's job.

 

I always thought as they were read only; but then again, these hackers get quite clever these days and can circumvent the form via the command line quite easily - they just have to type a few commands in, I suppose that is why Captcha has taken off the way it has...

 

Oop's just read it back and after a swig of trusty 'ale I see what your meaning ;-p  Yes, use mysql_real_escape_string() through the array_map() call back feature, that way the ENTIRE array gets made DB safe - that's my preferred method, but then again, treat every project different...

 

Rw

[jacko310592]

sorry, i meant html <select> tags/drop-down lists... i just have a habit of calling them select boxes

but thanks for your answer, helped a lot (: