Um... yes... you would need the $_POST array if register_globals is off... but since it's not off by default yet... :)
On Wed, 16 Jan 2002, Erik Price wrote: > Ah, good call. > > Although, in your third example (the one where you say "Then you might > as well just do this:"), you are using the $variable without the $_POST > array -- with register_globals off, don't I have to use the $_POST array? > > But I see what you're saying, that I need to do some checking of the > variable before using it in a SQL statement. Thanks for the reminder. > > Erik > > > On Wednesday, January 16, 2002, at 04:21 PM, Philip Hallstrom wrote: > > > My advice would be to do it like this: > > > > $variable = $_POST['variable']; > > // some PHP code that validates that $variable is something reasonable > > $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable"; > > > > If you just do this: > > > > $sql = "SELECT table.column FROM table WHERE criteria LIKE > > ${_POST['variable']}"; > > > > Then you might as well just do this: > > > > $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable"; > > > > > > Using the $_* arrays is only part of the solution. You still have to > > validate/check that data before you rely on it. > > > > > > > > On Wed, 16 Jan 2002, Erik Price wrote: > > > >> Okay, all of that discussion of predefined variables was well and good. > >> I'm going through my code and changing everything over to use > >> $_*['variablename']. > >> > >> The problem is that a good deal of my code consists of MySQL query > >> statements with variables inside those statements. An example: > >> > >> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable"; > >> > >> You can see where I'm going with this. > >> Experiments of mine with using array elements within SQL statements > >> brought some of my questioning to the list just last week. I found > >> that > >> the following did not work: > >> > >> $sql = "SELECT table.column FROM table WHERE criteria LIKE > >> $myrow['variable']"; > >> > >> So the logical solution, suggested by several on the list, would be to > >> create a new variable that would contain the array element: > >> > >> $variable = $myrow['variable']; > >> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable"; > >> > >> This is fine. But won't this contradict the whole point of using the > >> new predefined variables/arrays? Now someone could pass "variable=1" > >> along the querystring and start changing the way my page is intended to > >> work. Or is that what register_globals=Off does -- it disables the > >> ability for a $_GET variable to be considered a $_POST variable, etc? > >> > >> Nevermind, i think I just answered my own question. > >> So which is the preferred (least work) method of changing over the old > >> code, > >> > >> $variable = $_POST['variable']; > >> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable"; > >> > >> or > >> > >> $sql = "SELECT table.column FROM table WHERE criteria LIKE > >> ${_POST['variable']}"; > >> > >> I was hoping someone could set me straight before I go off and awk > >> these > >> sitewide changes.... > >> > >> > >> Erik > >> > >> > >> -- > >> PHP General Mailing List (http://www.php.net/) > >> To unsubscribe, e-mail: [EMAIL PROTECTED] > >> For additional commands, e-mail: [EMAIL PROTECTED] > >> To contact the list administrators, e-mail: php-list- > >> [EMAIL PROTECTED] > >> > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]