On Fri, Feb 13, 2009 at 6:01 PM, Mika Jaaksi wrote:
> With these:
>
> $band_id = $_SESSION['session_var'];
> echo "band_id: " . $band_id;
>
> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";
> echo "query: " . $query;
>
> I get these:
>
> band_id: 11
> query: SELECT * FROM pic_upload WHER
Mika,
Echo out the dynamically created SQL statement ie., $query = "SELECT *
FROM MyTable WHERE ID = ${ID}"; ECHO $query;" Let us see what is
actually being passed.
P.S. I couldn't agree more with the poster that said, don't pass user
input directly to a SQL statement.
-Original Message-
>> $band_id = $_SESSION['session_var'];
>> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";
It's always better not to concatenate user input into queries, otherwise
you are vulnerable to SQL Injection attacks:
http://www.sans.org/top25errors/#cat1
Use bind variables with the appropri
Don't see session_start() in your script. If you work with SESSION, you
must have it on the first lines of the file (before any output and work
with $_SESSION so it's good to put it on the first lines).
And it must be in every file which works with them (except for included
files). It should l
Mika,
Put the dollar sign (i.e., $) outside the curly brace.
$query="SELECT * FROM pic_upload WHERE band_id='${band_id}'";
A-
-Original Message-
From: Mika Jaaksi [mailto:mika.jaa...@gmail.com]
Sent: Thursday, February 12, 2009 12:27 PM
To: php-db@lists.php.net
Subject: [PHP-DB] Re: se
