i got it tnx Balint
The problem is that if you set the post directly to the query it's available
to be an attach code in the field... (eg. DROP DATABASE;) it's called to
"SQL injection"...
what I mean on filtering:
always check the values in query eg.: $id = $_POST['id'];
if(is_numeric($id)){...}else{bad post}
and at
On Wed, May 25, 2011 at 8:15 AM, Eli Orr (Office) wrote:
> Hi,
>
> Since a UTF-8 is a multi-bytes mechanism I get for 2 or 3 bytes UTF-8
> encoded character a single character
>
> How can it be break into the REAL bytes array that represent the UTF-8
> string
> and how can we reassembled the by
Tnx to all:D
Paul you are absolutly right:D
it was a bad mistake from me
there was no need 2 convert it
Balint helped me n with mysql_error i found that
my code hasn't any mistake
i just forgot the BIG thing!
selecting db:D
i totally forgot it because i had array keys with if statement n in there i
Hi,
Since a UTF-8 is a multi-bytes mechanism I get for 2 or 3 bytes UTF-8
encoded character a single character
How can it be break into the REAL bytes array that represent the UTF-8
string
and how can we reassembled the bytes array back to UTF-8?
--
Best Regards,
*Eli Orr*
CTO & Founde
On Tue, 24 May 2011 23:47:47 +0700, "Paul S" wrote:
On Tue, 24 May 2011 21:09:34 +0700, "Richard S. Crawford"
wrote:
On Tue, May 24, 2011 at 6:51 AM, Paul S wrote:
I'd like to check a table to retrieve rows for which one field equals
one
of a set of values
#get products(fields)
Hello Negin,
$query1="select * from patient where id=".$_POST['txt'];
$result1=mysql_query($query1);
$rows=mysql_num_rows($result1);
Note: you *didn't* execute the query by calling mysql_query on it.
--
With best regards from Ukraine,
Andre
Skype: Francophile
My blog: http://oire.org/menelion (mo
"Vitalii Demianets" wrote:
>On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
>> my code is this:
>> $query1="select * from patient where id=".$_POST['txt'];
>> it works but
>
>Holy Jesus!
>Can't wait to send to your server POST request with txt="1;DROP
>DATABASE; --"
>
>Of course, if you'
Of course have to use filters and etc...
Bálint Horváth
On 25 May 2011 09:53, "Vitalii Demianets" wrote:
> On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
>> my code is this:
>> $query1="select * from patient where id=".$_POST['txt'];
>> it works but
>
> Holy Jesus!
> Can't wait to send
On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
> my code is this:
> $query1="select * from patient where id=".$_POST['txt'];
> it works but
Holy Jesus!
Can't wait to send to your server POST request with txt="1;DROP DATABASE; --"
Of course, if you'll switch to prepare statement instead
10 matches
Mail list logo