> --- Jeff McKeon <[EMAIL PROTECTED]> wrote:
> > $query="SELECT * from tickets where VesselID='$_GET['vesselid']'
> > order by Status DESC, Created ASC";
>
> $query = "select * from tickets where vesselid = '{$_GET['vesselid']}'
> order by status desc, created asc";
>
> Note the curly braces.
I am trying to start making a conscious effort to alert people to potential
security risks associated with certain examples. So, I should have mentioned
that constructing an SQL statement with client data is terrible. While my
example was only meant to illustrate how to interpolate arrays within a string,
I do not want anyone to copy/paste this code and create a security
vulnerability.
So, what should really be done is something like this:
1. Validate $_GET['vesselid']
2. If it is valid, $clean['vesselid'] = $_GET['vesselid']
3. Construct the SQL statement using $clean['vesselid']
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
