Hey thanks guys. Problem solved.
--- Eugene Lee <[EMAIL PROTECTED]> wrote:
> On Tue, Nov 25, 2003 at 11:38:27AM +0100, Marek
> Kilimajer wrote:
> : Eugene Lee wrote:
> : >
> : >Try using more variables to make life a little
> easier to parse:
> : >
> : > $colname = $_FORM['form']
> : > $query = "select {$colname} from structure";
> : > $result = mysql_query($query);
> : > while (($row = mysql_fetch_array($result)) !==
> false)
> : > {
> : > echo $row[$colname];
> : > }
> : >
> :
> : Very dangerous. $colname can be anything, e.g.
> "mysql.user.password
> : colname FROM mysql.user #"
>
> I wrote it out this way because: the other user
> provided no source code,
> I wanted to show working code, it was late and I
> didn't feel like adding
> anything to secure against intrusions like SQL
> injection attacks. For
> the sake of completeness, redo the first line above
> as:
>
> $colname = mysql_escape_string($_FORM['form']);
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
__________________________________
Do you Yahoo!?
Free Pop-Up Blocker - Get it now
http://companion.yahoo.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
