On Thu, Jul 16, 2009 at 9:33 AM, Miller,
Terion<tmil...@springfi.gannett.com> wrote:
> Here is what finally worked:
>     <?php                                                        $letter = 
> isset($_GET['letter']) ? $_GET['letter'] : "A";                               
>                          //alphabetical pagination links                      
>                                   echo '<div align="center"><b>';             
>                                            foreach(range('A','Z') as $c){     
>                                                      ($letter == $c)          
>                                                   ? printf('%s&nbsp',$c)      
>                                                       : printf('<a 
> href="?letter=%s">%s</a>&nbsp;',$c,$c);                                       
>                  }                                                        
> echo "</b></div><p>";                                                         
>                                                        //Show all restaurants 
> that start with $letter                                                       
>  $sql = "SELECT * FROM restaurants WHERE name LIKE '{$letter}%'";             
>                                            $result = mysql_query($sql) or 
> die(mysql_error());                                                        
> while($row = mysql_fetch_assoc($result)){                                     
>                      printf('<div align="left" 
> width="100"><b>%s</b><br>%s</br>%s</br></div><hr color=#000 
> width=200></hr>',$row['name'],$row['address'],$result['cviolations']);        
>                                                 }                             
>                                                    ?>
> Thanks again everyone!!


I hope that isn't your final answer. This has SQL injection written
all over it since you are neither validating that $letter is actually
a letter, nor are you escaping it before passing it off to MySQL.

$letter = isset($_GET['letter']) ? $_GET['letter'] : 'A';

if (!preg_match('/^[A-Z]$/i', $letter) {
    $letter = 'A';
       Rather than setting $letter to 'A' and continuing,
       you could generate an error if you end up in here
       so you can let the user know that what they passed
       was invalid.



In this case, it should be safe to use $letter directly in the query
without passing it through mysql_real_escape_string() since it should
only contain a single harmless alphanumeric letter, but it wouldn't
hurt (and may still be a good idea) to go ahead and escape the value
in the query anyway just in case something in your code changes later
that might cause some cruft to slip in.


Reply via email to