|
|
Posted by Dodger on 07/05/06 12:16
Jerry Stuckle wrote:
> Dodger wrote:
> > Sandman wrote:
> >
> >>In article <1152094733.815375.105700@a14g2000cwb.googlegroups.com>,
> >> "Dodger" <el.dodgero@gmail.com> wrote:
> >
> >
> >>I've not used "mysqli", but doing the above in mysql:
> >>
> >><?
> >> $db = mysql_connect("host", "user", "password");
> >>
> >> $q = mysql_query("select * from cities where country = 'USA'");
> >> while ($r = mysql_fetch_assoc()){
> >> $cities[] = $r["city"];
> >> }
> >>
> >> foreach ($cities as $city){
> >> # Do stuff
> >> }
> >>?>
> >
> >
> > Well, I do need bind variables. In the non-mysqli example up there, the
> > country is hardcoded into the statement. Even if I filled that in with
> > a variable, what if it was a variable that was passed in by a user? It
> > would be too easy to hack and would end up either potentially crippling
> > things or with an arms race between me and some l33+ haxcsore wanker
> > whi thinks he's clever.
> >
>
> Proper escaping of the string will prevent sql injection attacks. Bind
> variables are not required. See mysql_real_escape().
> >
> >>Why the extra foreach? Just "do stuff" in the mysql while loop.
> >
> >
> > Could be plenty of reasons. In the example up top, I am populating the
> > environment (%ENV in Perl, $_ENV in PHP) with my special session
> > variables (and yes, I know PHP has session handling systems, but I'm
> > not gonna use them because I want stuff to work in *both* Perl and PHP
> > CGIs* -- I might be populating some other SESSION_* environment
> > variables elsewhere, for instance.
> >
>
> You're really trying to make things complicated, aren't you?
Nope. Got a perfectly good reason to drop my session variables into the
script local environment. Those environment variables trickle down to
SSI includes under Apache 2, and I put SSI include tags in my output,
which means that normal SHTML markup can access things -- and act
accordingly without needing to talk to a database at all on its own.
And I do want everything to be able to use the same sessioning system
rather than two seperate ones.
Of course, if I can work out where the 'leak' is happening, I may be
able to simply set it up to work in my previously attempted mod_perl
PerlSetupHandler -- which would then set ENV variables for whatever
extension I tell it. But I'm not putting things on hold until that,
either. B^)
Navigation:
[Reply to this message]
|