The correct request format

Question

The correct request format

I am making a test program in which I need to use this code:

"href=\"testmng.php?manageqn=" . htmlspecialchars_decode($r['testname'], ENT_QUOTES) . "?subjectname=". htmlspecialchars_decode($r['subname'], ENT_QUOTES)

My question is, what is the correct format when do manageqnthey subjectnamehave the correct values:

else if ((isset($_REQUEST['manageqn'])) && (isset($_REQUEST['subjectname']))) {

$testname = $_REQUEST['manageqn'];
$subname = $_REQUEST['subjectname'];
$result = executeQuery("select testid from test where testname='" . htmlspecialchars($testname, ENT_QUOTES) . "';");

if ($r = mysql_fetch_array($result)) {
    $_SESSION['testname'] = $testname;
    $_SESSION['subjectname'] = $subname;
    $_SESSION['testqn'] = $r['testid'];

    header('Location: prepqn.php');
}
}

+4

html href html5 php

Nathaniel Apr 16 '15 at 16:44

source share

1 answer

Cristik · Accepted Answer · 2015-04-16T17:29:37+0000

Assuming you are using mysqli to connect to the database, you need to avoid the string using the myqli_real_escape_string () function , otherwise you are at risk of adding sql injection to your application:

executeQuery("select testid from test where testname='" . myqli_real_escape_string($testname) . "';");

I would recommend switching to a parameterized query approach using the prepared statement function that mysqli provides. You can have executeQuery()as follows:

executeQuery("select testid from test where testname=?", $testname)

, .

mysql, mysql_real_escape_string().

The correct request format

More articles: