Good advice! Thanks! Jeff
> -----Original Message----- > From: Chris Shiflett [mailto:[EMAIL PROTECTED] > Sent: Friday, October 03, 2003 5:19 PM > To: Jeff McKeon; php > Subject: RE: [PHP] User Authentication Continued.... > > > > --- Jeff McKeon <[EMAIL PROTECTED]> wrote: > > > $query="SELECT * from tickets where VesselID='$_GET['vesselid']' > > > order by Status DESC, Created ASC"; > > > > $query = "select * from tickets where vesselid = > '{$_GET['vesselid']}' > > order by status desc, created asc"; > > > > Note the curly braces. > > I am trying to start making a conscious effort to alert > people to potential security risks associated with certain > examples. So, I should have mentioned that constructing an > SQL statement with client data is terrible. While my example > was only meant to illustrate how to interpolate arrays within > a string, I do not want anyone to copy/paste this code and > create a security vulnerability. > > So, what should really be done is something like this: > > 1. Validate $_GET['vesselid'] > 2. If it is valid, $clean['vesselid'] = $_GET['vesselid'] > 3. Construct the SQL statement using $clean['vesselid'] > > Hope that helps. > > Chris > > ===== > My Blog > http://shiflett.org/ > HTTP Developer's Handbook > http://httphandbook.org/ > RAMP Training Courses > http://www.nyphp.org/ramp > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
