|
|
Posted by Richard Levasseur on 07/06/06 19:17
Jerry Stuckle wrote:
> Sandman wrote:
> > In article <1152097195.383533.289450@l70g2000cwa.googlegroups.com>,
> > "Dodger" <el.dodgero@gmail.com> wrote:
> >
> >
> >>>I've not used "mysqli", but doing the above in mysql:
> >>>
> >>><?
> >>> $db = mysql_connect("host", "user", "password");
> >>>
> >>> $q = mysql_query("select * from cities where country = 'USA'");
> >>> while ($r = mysql_fetch_assoc()){
> >>> $cities[] = $r["city"];
> >>> }
> >>>
> >>> foreach ($cities as $city){
> >>> # Do stuff
> >>> }
> >>>?>
> >>
> >>Well, I do need bind variables. In the non-mysqli example up there, the
> >>country is hardcoded into the statement. Even if I filled that in with
> >>a variable, what if it was a variable that was passed in by a user? It
> >>would be too easy to hack and would end up either potentially crippling
> >>things or with an arms race between me and some l33+ haxcsore wanker
> >>whi thinks he's clever.
> >
> >
> > If you're going to use a user-submitted value, it's going to be a
> > user-submitted value.
> >
> > # ?country=USA's
> >
> > $c = addslashes($_GET["country"]);
> >
> > $q = mysql_query("select * from cities where country = '$c'");
> > while ($r = mysql_fetch_assoc()){
> > $cities[] = $r["city"];
> > }
> >
> >
>
> You shouldn't use addslashes. That's what mysql_real_escape_string() is
> for.
>
> --
> ==================
> Remove the "x" from my email address
> Jerry Stuckle
> JDS Computer Training Corp.
> jstucklex@attglobal.net
> ==================
Also make sure to turn magic_quotes OFF
Navigation:
[Reply to this message]
|