At 3:31 PM -0500 11/17/02, Stephen wrote:
Since day one of me doing MySQL stuff in PHP, I've always set up my query as a variable then put it into the query function such as this:Typically speaking you should always use the PHP mysql_escape_string() function, when accepting data from users. While, I'm not certain its relevant in your situation, since your variable is predefined. But this would be of importance for any forms you would have. To use you just add some code such as:
$query = "SELECT * FROM bobstuff WHERE id='1'";
$result = mysql_query($query, $connection);
I've just come aware of the security risks of this. How could I make it so the $query variable isn't editable from the URL? Should I turn register_globals off?
$usrName=mysql_escape_string($usrName);
one for each field on a form, than you can do
$result=mysql_result("SELECT * FROM abc WHERE usrName='$usrName', $gDB);
This will protect you from users who enter Select, DROP, and other statements in your data field.
ALnisa
--
.........................................
Alnisa Allgood
Executive Director
Nonprofit Tech
(ph) 415.337.7412 (fx) 415.337.7927
(url) http://www.nonprofit-techworld.org
(url) http://www.nonprofit-tech.org
(url) http://www.tech-library.org
.........................................
Nonprofit Tech E-Update
mailto:[EMAIL PROTECTED]
.........................................
transforming nonprofits through technology
.........................................
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
