> --- Jeff McKeon <[EMAIL PROTECTED]> wrote: > > $query="SELECT * from tickets where VesselID='$_GET['vesselid']' > > order by Status DESC, Created ASC"; > > $query = "select * from tickets where vesselid = '{$_GET['vesselid']}' > order by status desc, created asc"; > > Note the curly braces.
I am trying to start making a conscious effort to alert people to potential security risks associated with certain examples. So, I should have mentioned that constructing an SQL statement with client data is terrible. While my example was only meant to illustrate how to interpolate arrays within a string, I do not want anyone to copy/paste this code and create a security vulnerability. So, what should really be done is something like this: 1. Validate $_GET['vesselid'] 2. If it is valid, $clean['vesselid'] = $_GET['vesselid'] 3. Construct the SQL statement using $clean['vesselid'] Hope that helps. Chris ===== My Blog http://shiflett.org/ HTTP Developer's Handbook http://httphandbook.org/ RAMP Training Courses http://www.nyphp.org/ramp -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php