Tenaciousmug Posted June 17, 2011 Share Posted June 17, 2011 Here is my code: if (isset($_POST['remove'])) { foreach ($_POST['msgid'] AS $msgid) { $sql = "DELETE FROM inbox WHERE msgid = '".$msgid."' AND userid='".$_SESSION['userid']."'"; mysqli_query($cxn, $sql) or die(mysqli_error($cxn)); } } It works perfectly fine, but to prevent SQL Injection and XSS, I put this: if (isset($_POST['remove'])) { foreach ($cxn-real_escape_string(htmlspecialchars($_POST['msgid'])) AS $msgid) { $sql = "DELETE FROM inbox WHERE msgid = '".$msgid."' AND userid='".$_SESSION['userid']."'"; mysqli_query($cxn, $sql) or die(mysqli_error($cxn)); } } But then it stops grabbing the value. :/ So... is there anyway I can prevent malicious attacks without preventing it from grabbing the value? Quote Link to comment https://forums.phpfreaks.com/topic/239634-escaping-mulitple-checkbox-values/ Share on other sites More sharing options...
Tenaciousmug Posted June 17, 2011 Author Share Posted June 17, 2011 Nevermind! Just had to do this: if (isset($_POST['remove'])) { foreach ($_POST['msgid'] AS $msgid) { $msgid = $cxn->real_escape_string(htmlspecialchars($msgid); $sql = "DELETE FROM inbox WHERE msgid = '".$msgid."' AND userid='".$_SESSION['userid']."'"; mysqli_query($cxn, $sql) or die(mysqli_error($cxn)); } } Quote Link to comment https://forums.phpfreaks.com/topic/239634-escaping-mulitple-checkbox-values/#findComment-1230981 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.