Ah, good call.
Although, in your third example (the one where you say "Then you might
as well just do this:"), you are using the $variable without the $_POST
array -- with register_globals off, don't I have to use the $_POST array?
But I see what you're saying, that I need to do some checking of the
variable before using it in a SQL statement. Thanks for the reminder.
Erik
On Wednesday, January 16, 2002, at 04:21 PM, Philip Hallstrom wrote:
> My advice would be to do it like this:
>
> $variable = $_POST['variable'];
> // some PHP code that validates that $variable is something reasonable
> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
>
> If you just do this:
>
> $sql = "SELECT table.column FROM table WHERE criteria LIKE
> ${_POST['variable']}";
>
> Then you might as well just do this:
>
> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
>
>
> Using the $_* arrays is only part of the solution. You still have to
> validate/check that data before you rely on it.
>
>
>
> On Wed, 16 Jan 2002, Erik Price wrote:
>
>> Okay, all of that discussion of predefined variables was well and good.
>> I'm going through my code and changing everything over to use
>> $_*['variablename'].
>>
>> The problem is that a good deal of my code consists of MySQL query
>> statements with variables inside those statements. An example:
>>
>> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
>>
>> You can see where I'm going with this.
>> Experiments of mine with using array elements within SQL statements
>> brought some of my questioning to the list just last week. I found
>> that
>> the following did not work:
>>
>> $sql = "SELECT table.column FROM table WHERE criteria LIKE
>> $myrow['variable']";
>>
>> So the logical solution, suggested by several on the list, would be to
>> create a new variable that would contain the array element:
>>
>> $variable = $myrow['variable'];
>> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
>>
>> This is fine. But won't this contradict the whole point of using the
>> new predefined variables/arrays? Now someone could pass "variable=1"
>> along the querystring and start changing the way my page is intended to
>> work. Or is that what register_globals=Off does -- it disables the
>> ability for a $_GET variable to be considered a $_POST variable, etc?
>>
>> Nevermind, i think I just answered my own question.
>> So which is the preferred (least work) method of changing over the old
>> code,
>>
>> $variable = $_POST['variable'];
>> $sql = "SELECT table.column FROM table WHERE criteria LIKE $variable";
>>
>> or
>>
>> $sql = "SELECT table.column FROM table WHERE criteria LIKE
>> ${_POST['variable']}";
>>
>> I was hoping someone could set me straight before I go off and awk
>> these
>> sitewide changes....
>>
>>
>> Erik
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>> To contact the list administrators, e-mail: php-list-
>> [EMAIL PROTECTED]
>>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
