What I meant was something like this: The user types in the URL http://myplace/script.php?query=DELTE * FROM table WHERE id=1. The query is overwritten and the section is deleted...
Is that possible? > ----- Original Message ----- > From: "Rasmus Lerdorf" <[EMAIL PROTECTED]> > To: "Stephen" <[EMAIL PROTECTED]> > Cc: "PHP List" <[EMAIL PROTECTED]> > Sent: Sunday, November 17, 2002 3:46 PM > Subject: Re: [PHP] Protecting Queries > > > > No, that it fine. User-supplied data can not override a variable defined > > directly in your script like that regardless of the register_globals > > setting. > > > > -Rasmus > > > > On Sun, 17 Nov 2002, Stephen wrote: > > > > > Since day one of me doing MySQL stuff in PHP, I've always set up my > query as a variable then put it into the query function such as this: > > > > > > $query = "SELECT * FROM bobstuff WHERE id='1'"; > > > $result = mysql_query($query, $connection); > > > > > > I've just come aware of the security risks of this. How could I make it > so the $query variable isn't editable from the URL? Should I turn > register_globals off? > > > > > > Thanks, > > > Stephen Craton > > > http://www.melchior.us > > > > > > "Life is a gift from God. Wasting it is like destroying a gift you got > from the person you love most." -- http://www.melchior.us > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
