At 3:31 PM -0500 11/17/02, Stephen wrote:
Since day one of me doing MySQL stuff in PHP, I've always set up my
query as a variable then put it into the query function such as this:
$query = "SELECT * FROM bobstuff WHERE id='1'";
$result = mysql_query($query, $connection);
I've just come
Oh, right, thanks!
- Original Message -
From: "Rasmus Lerdorf" <[EMAIL PROTECTED]>
To: "Stephen" <[EMAIL PROTECTED]>
Sent: Sunday, November 17, 2002 4:05 PM
Subject: Re: [PHP] Protecting Queries
> No, like I said, since you set $query in your scrip
ED]>
> To: "Stephen" <[EMAIL PROTECTED]>
> Cc: "PHP List" <[EMAIL PROTECTED]>
> Sent: Sunday, November 17, 2002 3:46 PM
> Subject: Re: [PHP] Protecting Queries
>
>
> > No, that it fine. User-supplied data can not override a variable
de
No, that it fine. User-supplied data can not override a variable defined
directly in your script like that regardless of the register_globals
setting.
-Rasmus
On Sun, 17 Nov 2002, Stephen wrote:
> Since day one of me doing MySQL stuff in PHP, I've always set up my query as a
>variable then put
the issue isn't with query, it's with variables used within queries...
example:
$id = $_GET['id'];
$query = "SELECT * FROM mytable WHERE id=$id";
and if you call this page as (or something like this):
?id='' OR 1=1
You can alter the query
-js
Stephen wrote:
> Since day one of me doing MySQL s
5 matches
Mail list logo
