mysql_query() doesn't allow for multiple SQL queries/commands; they can't perform injection (I have yet to see how they could) on the command. Of course you should still sanitize the input though.
As for a client not caching images, it depends on how you do it. If you serve up a URL with the address: http://www.website.com/images.php?id=23 Then yes, you're correct. But why not make use of Cake's routes and allow yourself to do something like: http://www.website.com/images/view/23.jpg In which case they would cache the response. Also with the right setup on a server (eAccel, memcache, etags, expire-date, etc) you can achieve a *much* faster turn around if you use the DB to store images. On Apr 13, 11:32 am, jonknee <[EMAIL PROTECTED]> wrote: > On Apr 13, 6:28 am, schneimi <[EMAIL PROTECTED]> wrote: > > > Ok thx jonknee, I understand the problem better now. > > > The only reason I store them in db is that I have all data at one > > place and it's easy to handle for me, not the best reason I know. > > > For now I will use the direct access to the db, thats fast enough. > > Here is the code I use now in the extra php to set up the db > > connection: > > If you're going to be doing it that way, make sure you edit the > original script you posted... It has a glaring SQL injection hole: > > > $result = mysql_query('SELECT thumbnail FROM covers WHERE album_id='. > > $_GET['id']); > > You're putting GET variables directly into a query... Might work nice > when id=1, but what about if someone makes id=1; DELETE FROM covers > WHERE 1? All of your cover images go away. Depending on the MySQL user > permissions they could do a lot worse. > > In your case you could simply pass the GET id variable through > intval() to make sure it's just a number. Adding a LIMIT 1 wouldn't > hurt either in case any duplicates ever pop up in the DB. > > So something like this: > > $result = mysql_query('SELECT thumbnail FROM covers WHERE album_id='. > intval($_GET['id']) . ' LIMIT 1'); --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
