I have no knowledge (YET) of how to prevent sql injection attacks with
php.
Just yesterday I read a short tutorial on http://www.dotgeek.org on how
to prevent sql injection.
The site is down right now for maintenance otherwise I would have a
direct link to the article for you.
try searching go
- gil
> -Original Message-
> From: Micah Stevens [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 21, 2004 4:01 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] using query_strings in sql
>
>
>
> You may have register Globals turned off in php.ini.
>
, 2004 3:53 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: [PHP-DB] using query_strings in sql
>
>
>
> WHAT DOESN'T HAPPEN is that the query_string values DO NOT trump the
> default
> variables.
>
> so query_string = ?class=X§ion=Y&or
ection
> ORDER BY $class $order
>
> -- gil
>
> thx for all your patience
>
> > -Original Message-
> > From: Micah Stevens [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, January 21, 2004 3:12 PM
> > To: [EMAIL PROTECTED]
> > Subject: Re: [PHP-DB] u
WHAT DOESN'T HAPPEN is that the query_string values DO NOT trump the
default
variables.
so query_string = ?class=X§ion=Y&order=ASC
I can't input these variables : $class,$section,$order into the SQL
statement
SELECT *
FROM classes
WHERE section=$section
ORDER BY $class $order
I am getting in
-Original Message-
> From: Micah Stevens [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 21, 2004 3:12 PM
> To: [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] using query_strings in sql
>
>
>
> Here goes:
>
> 1) That should work fine. Be sure and enclose the
Here goes:
1) That should work fine. Be sure and enclose the SQL in double quotes or the
variable will not get translated into its value.
2) That's fine too, nothing wrong there.
3) this is wrong, but it looks like you just ommited the SQL statement. Be
sure and use the or die statement as i
;classCost"] . "\n";
echo "";
}
echo "";
}
$title = "XXX: Administration: List Classes";
?>
.hide
{
background-color: #
my bad: I typed in the script and forgot the echo.
-- gil
> -Original Message-
> From: Rick Dahl [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, January 21, 2004 2:28 PM
> To: mayo; [EMAIL PROTECTED]
> Subject: Re: [PHP-DB] using query_strings in sql
>
>
&g
;[EMAIL PROTECTED]>
Sent: Wednesday, January 21, 2004 1:10 PM
Subject: RE: [PHP-DB] using query_strings in sql
> I have a table displaying data. The column headers are links that allow
the
> users to order the content in ASC or DESC.
>
> basic version is:
>
> Title
>
>
; Unfortunately its not working :(
>
>
> thx, gil
>
> > -Original Message-
> > From: Micah Stevens [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, January 21, 2004 1:59 PM
> > To: [EMAIL PROTECTED]
> > Cc: mayo
> > Subject: Re: [PHP
o: [EMAIL PROTECTED]
> Cc: mayo
> Subject: Re: [PHP-DB] using query_strings in sql
>
>
>
> I may be misunderstanding you, but your first statement about
> pulling from a
> query string is throwing me.
>
> will only display the value of $section
> on the scre
I may be misunderstanding you, but your first statement about pulling from a
query string is throwing me.
will only display the value of $section on the screen.
You will need to build a form to get a value into $section.
something.php:
Now you can do your query:
$selection = mysql_q
I'm a cold fusion refugee and am having incredible problems with something
that I think is relatively easy -- so I must be missing something basic.
I would like to pull info from a query string and use it inside a database
call.
I can pull the query string into a general variable:
now I would
14 matches
Mail list logo