Yes. I'll do that. In this example, the only thing
that I can think about input checking is to use
is_int() function. Is there any other ways to do
the input checking?

Thanks.

Zhan Xu
EECS Department
Case Western Reserve University

----- Original Message -----
From: Jason Wong <[EMAIL PROTECTED]>
Date: Monday, October 6, 2003 8:13 am
Subject: Re: [PHP-DB] SoS

> On Monday 06 October 2003 10:18, [EMAIL PROTECTED] wrote:
> 
> > I figured it out! The register_globals is turned
> > off. To parse the id with this parameter off, I
> > just need to judge whether $_GET["id"] is set or not. The problem 
> is that I
> > wrote the SQL statement as:
> >
> > $SQLstr="SELECT * FROM employees WHERE id=$_GET["id"]";
> >
> > That's a wrong one. To solve this, I do the
> > following (a naive one):
> > $tid=$_GET["id"];
> > $SQLstr="SELECT * FROM employees WHERE id=$tid";
> >
> > And it's OK.
> 
> You can do something like:
> 
>  $SQLstr="SELECT * FROM employees WHERE id={$_GET['id']}";
> 
> But for security you should always check the integrity of any input 
> that you 
> receive from the user.
> 
> For example, in this case you should verify that $_GET['id'] is 
> indeed an 
> integer and nothing else.
> 
> 
> -- 
> Jason Wong -> Gremlins Associates -> www.gremlins.biz
> Open Source Software Systems Integrators
> * Web Design & Hosting * Internet & Intranet Applications 
> Development *
> ------------------------------------------
> Search the list archives before you post
> http://marc.theaimsgroup.com/?l=php-db
> ------------------------------------------
> /*
> God grant me the senility to accept the things I cannot change,
> The frustration to try to change things I cannot affect,
> and the wisdom to tell the difference.
> */
> 
> -- 
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
> 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to