Omar,
Peter is right. You should never send queries from the client to the
server. This is very insecure. Someone could easily see this and
inject their own SQL into your app. You should follow the simple rule
of never trust the client.
Instead put the SQL on the server and only send changing properties
from the client. You can also send a command string that let's the
server know which server side SQL to use.
On Feb 2, 2008, at 6:39 AM, "Pete Hotchkiss" <[EMAIL PROTECTED]
> wrote:
Omar
This is the least of your worries .... google SQL injection attacks
before you waste too much more development time trying to resolve
this issue.
Pete
-----Original Message-----
From: [EMAIL PROTECTED] on behalf of Omar
Fouad
Sent: Sat 2/2/2008 1:07 AM
To: Flash Coders List
Subject: [Flashcoders] LoadVars and SQL Query issue
I am doing an application where I'm writing some classes that sends
queries
to a php file by using LoadVars.send().
var toSend:LoadVars = new LoadVars();
var myQuery:String = "select * from users where Name = 'Omar Fouad' ";
toSend.query = myQuery; // traces select * from users where Name
= 'Omar
Fouad'
toSend.send("File.php", "_self", "POST");
At this phase the php files receive the query and when I echo the
query
string appears:
select * from users where Name = \'Omar Fouad\'
That's is how it is sent to the server so of course it shows an SQL
error
because of the backslashes. Apparently it does not recognize the
"String in
the String" part of the query that is sent from Flash.
When I send a query for a Number like:
select ^ from users where id = 1
it queries the database without problems.
How can I solve this problem?
Thanks and Regards.
--
Omar M. Fouad - Digital Emotions
http://www.omarfouad.net
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be
copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
_______________________________________________
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders
