Um... yes... you would need the $_POST array if register_globals is off...
but since it's not off by default yet... :)
On Wed, 16 Jan 2002, Erik Price wrote:
> Ah, good call.
>
> Although, in your third example (the one where you say "Then you might
> as well just do this:"), you are using the $variable without the $_POST
> array -- with register_globals off, don't I have to use the $_POST array?
>
> But I see what you're saying, that I need to do some checking of the
> variable before using it in a SQL statement. Thanks for the reminder.
>
> Erik
>
>
> On Wednesday, January 16, 2002, at 04:21 PM, Philip Hallstrom wrote:
>
> > My advice would be to do it like this:
> >
> > $variable = $_POST['variable'];
> > // some PHP code that validates that $variable is something reasonable
> > $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
> >
> > If you just do this:
> >
> > $sql = "SELECT table.column FROM table WHERE criteria LIKE
> > ${_POST['variable']}";
> >
> > Then you might as well just do this:
> >
> > $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
> >
> >
> > Using the $_* arrays is only part of the solution. You still have to
> > validate/check that data before you rely on it.
> >
> >
> >
> > On Wed, 16 Jan 2002, Erik Price wrote:
> >
> >> Okay, all of that discussion of predefined variables was well and good.
> >> I'm going through my code and changing everything over to use
> >> $_*['variablename'].
> >>
> >> The problem is that a good deal of my code consists of MySQL query
> >> statements with variables inside those statements. An example:
> >>
> >> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
> >>
> >> You can see where I'm going with this.
> >> Experiments of mine with using array elements within SQL statements
> >> brought some of my questioning to the list just last week. I found
> >> that
> >> the following did not work:
> >>
> >> $sql = "SELECT table.column FROM table WHERE criteria LIKE
> >> $myrow['variable']";
> >>
> >> So the logical solution, suggested by several on the list, would be to
> >> create a new variable that would contain the array element:
> >>
> >> $variable = $myrow['variable'];
> >> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
> >>
> >> This is fine. But won't this contradict the whole point of using the
> >> new predefined variables/arrays? Now someone could pass "variable=1"
> >> along the querystring and start changing the way my page is intended to
> >> work. Or is that what register_globals=Off does -- it disables the
> >> ability for a $_GET variable to be considered a $_POST variable, etc?
> >>
> >> Nevermind, i think I just answered my own question.
> >> So which is the preferred (least work) method of changing over the old
> >> code,
> >>
> >> $variable = $_POST['variable'];
> >> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
> >>
> >> or
> >>
> >> $sql = "SELECT table.column FROM table WHERE criteria LIKE
> >> ${_POST['variable']}";
> >>
> >> I was hoping someone could set me straight before I go off and awk
> >> these
> >> sitewide changes....
> >>
> >>
> >> Erik
> >>
> >>
> >> --
> >> PHP General Mailing List (http://www.php.net/)
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >> To contact the list administrators, e-mail: php-list-
> >> [EMAIL PROTECTED]
> >>
> >
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
