On Wed, Jan 14, 2009 at 11:34 AM, MikeP <mpel...@princeton.edu> wrote: > > ""Eric Butera"" <eric.but...@gmail.com> wrote in message > news:6a8639eb0901140825h1d603d01i3ffcce919dca6...@mail.gmail.com... >> On Wed, Jan 14, 2009 at 11:17 AM, MikeP <mpel...@princeton.edu> wrote: >>> Hello, >>> I am trying to get the following to work: >>> "Select Netid from Users where Netid = '$_SESSION[phpCAS][user]'" >>> Netid is a string type. >>> No matter where of if I put the quotes, I still get array[phpCAS] not the >>> value. >>> If there is anything I still have trouble with after all these years its >>> quoting variables. >>> Help? >>> Thanks >>> Mike >>> >>> >>> >>> -- >>> PHP General Mailing List (http://www.php.net/) >>> To unsubscribe, visit: http://www.php.net/unsub.php >>> >>> >> >> Dude we just helped you with this same exact thing the other day. And >> you're still allowing SQL injection. > > No, actually I test my querys first and then wrap them in > mysql_real_escape_string(). > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > >
Mike, Well to be fair, I don't see any escaping in "Select Netid from Users where Netid = '$_SESSION[phpCAS][user]'". You could write: $sql = sprintf( "Select Netid from Users where Netid = '%s'", mysql_real_escape_string($_SESSION['phpCAS']['user']) ); and not have any of these problems. If you're escaping outside of that statement, then it's potentially tainting your data. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
