@NightShift58Jan 28.2007 — #SELECT fname, lname, address FROM NAMES WHERE nameid = $_GET['nameid'] [/QUOTE]Well, somehow, the information has to be passed from one script to another and there no real way to do so with absolute stealth.
However, the way you are taking a value directly from the URL and applying it to a query could lead to problems.
You always to sanitize or neutralize such user input. Instead of just typing a "10", a malevolent user could write "10' and 'blabla", making your statement think that that's what it's supposed to do.
In this particular case, as you are expecting a record ID, an integer, you could, prior to executing the query, do:[code=php]<?php $recID = intval($_GET['nameid']); $sql = "SELECT fname, lname, address FROM NAMES WHERE nameid = $recID"; ?>[/code]In case you are expecting something other than an integer, use mysql_real_escape_string() to make sure any strange characters are neutralized prior to executing a query.
@bubbisthedogauthorJan 28.2007 — #See, that's why I come here. ? Excellent advice, NightShift.
Thankfully, when I enter 'blah,' as one my parameter values, all that is returned is 'Unknown column 'blah' in 'where clause,' which I would not [i]think[/i] is a 'vulnerable' response, right? The rest of the page simply does not display when that error occurs.
I will nonetheless use intval(); I should be doing that anyway.