On Monday 06 October 2003 10:18, [EMAIL PROTECTED] wrote:

> I figured it out! The register_globals is turned
> off. To parse the id with this parameter off, I
> just need to judge whether $_GET["id"] is set or not. The problem is that I
> wrote the SQL statement as:
>
> $SQLstr="SELECT * FROM employees WHERE id=$_GET["id"]";
>
> That's a wrong one. To solve this, I do the
> following (a naive one):
> $tid=$_GET["id"];
> $SQLstr="SELECT * FROM employees WHERE id=$tid";
>
> And it's OK.

You can do something like:

  $SQLstr="SELECT * FROM employees WHERE id={$_GET['id']}";

But for security you should always check the integrity of any input that you 
receive from the user.

For example, in this case you should verify that $_GET['id'] is indeed an 
integer and nothing else.


-- 
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-db
------------------------------------------
/*
God grant me the senility to accept the things I cannot change,
The frustration to try to change things I cannot affect,
and the wisdom to tell the difference.
*/

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to