Eugene Lee wrote:
On Tue, Nov 25, 2003 at 11:38:27AM +0100, Marek Kilimajer wrote:
: Eugene Lee wrote:
: >
: >Try using more variables to make life a little easier to parse:
: >
: > $colname = $_FORM['form']
: > $query = "select {$colname} from structure";
: > $result = mysql_query($query);
: > while (($row = mysql_fetch_array($result)) !== false)
: > {
: > echo $row[$colname];
: > }
: >
:
: Very dangerous. $colname can be anything, e.g. "mysql.user.password
: colname FROM mysql.user #"
I wrote it out this way because: the other user provided no source code,
I wanted to show working code, it was late and I didn't feel like adding
anything to secure against intrusions like SQL injection attacks. For
the sake of completeness, redo the first line above as:
$colname = mysql_escape_string($_FORM['form']);
That does not help at all, there is no character to be escaped in
"mysql.user.password colname FROM mysql.user #". The strig would have to
be in quotes, and column name cannot be in qoutes.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
