My advice would be to do it like this:
$variable = $_POST['variable'];
// some PHP code that validates that $variable is something reasonable
$sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
If you just do this:
$sql = "SELECT table.column FROM table WHERE criteria LIKE ${_POST['variable']}";
Then you might as well just do this:
$sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
Using the $_* arrays is only part of the solution. You still have to
validate/check that data before you rely on it.
On Wed, 16 Jan 2002, Erik Price wrote:
> Okay, all of that discussion of predefined variables was well and good.
> I'm going through my code and changing everything over to use
> $_*['variablename'].
>
> The problem is that a good deal of my code consists of MySQL query
> statements with variables inside those statements. An example:
>
> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
>
> You can see where I'm going with this.
> Experiments of mine with using array elements within SQL statements
> brought some of my questioning to the list just last week. I found that
> the following did not work:
>
> $sql = "SELECT table.column FROM table WHERE criteria LIKE
> $myrow['variable']";
>
> So the logical solution, suggested by several on the list, would be to
> create a new variable that would contain the array element:
>
> $variable = $myrow['variable'];
> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
>
> This is fine. But won't this contradict the whole point of using the
> new predefined variables/arrays? Now someone could pass "variable=1"
> along the querystring and start changing the way my page is intended to
> work. Or is that what register_globals=Off does -- it disables the
> ability for a $_GET variable to be considered a $_POST variable, etc?
>
> Nevermind, i think I just answered my own question.
> So which is the preferred (least work) method of changing over the old
> code,
>
> $variable = $_POST['variable'];
> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
>
> or
>
> $sql = "SELECT table.column FROM table WHERE criteria LIKE
> ${_POST['variable']}";
>
> I was hoping someone could set me straight before I go off and awk these
> sitewide changes....
>
>
> Erik
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
