Pass js value to select where clause

[Ryder100]

Hi,
I am trying to take the values from a hidden field created with a js function and pass them into a select...from...where clause and can't seem to get the syntax right. The js function stores the values like ("cat,dog") but for the where clause I need them to be like ("cat","dog"). I will attach my function. Thanks in advance for any suggestions.

function populateHiddenStatus(fromObject,toObject) {
var output = '';
for (var i=0, l=fromObject.options.length;i<l;i++) {
if (fromObject.options.selected)
output +=(fromObject.options.value) + ',';
}
//alert(output);
toObject.value = output;
}

 

[kaht]

Ryder100, I can't begin to explain how phenomenally bad this solution is. Javascript should not be used for this purpose - it should be handled server side, after the data has been cleansed, and then washed, and then sanitized (and then done again for good measure).

All it takes is one SQL injection thru that feeble system and you'll likely be out of a job.

Have a good, thorough read here and then read it again just to make sure that you've absorbed it:

http://en.wikipedia.org/wiki/SQL_injection

-kaht

Lisa, if you don't like your job you don't strike. You just go in every day and do it really half-assed. That's the American way. - Homer Simpson

[small]<P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <B> <P> <.</B>[/small]