|
Posted by Kevin Raleigh on 07/17/07 04:11
I tried removing the quotes from the query:
$check = mysql_query("SELECT * FROM user WHERE id = $userID")or die("query
failed!");
and it comes back with my die message "query failed";
can you advise further?
Kevin Raleigh
"Kevin Raleigh" <kraleigh@sbcglobal.net> wrote in message
news:X6CdnaYASeZRoAHbnZ2dnUVZ_jSdnZ2d@giganews.com...
> How do you sanitize variables to prevent sql injections?
>
> thank you
> Kevin Raleigh
>
> "Norman Peelman" <npeelman@cfl.rr.com> wrote in message
> news:469c3ba5$0$8018$4c368faf@roadrunner.com...
> > Kevin Raleigh wrote:
> > > I have user id from the url string. sorry forgot to mention it.
> > > http://www.myWebSite.org/validate?id=154&code=Ogtidw
> > >
> > > $userID = $_GET["id"];
> > > $secureID = $_GET["code"];
> > >
> > > Why would the update fail?
> > > Did I code it correctly?
> > >
> > > Thank You
> > > Kevin Raleigh
> > >
> > > "Rik" <luiheidsgoeroe@hotmail.com> wrote in message
> > > news:op.tvk8wiczqnv3q9@metallium...
> > > On Tue, 17 Jul 2007 04:42:30 +0200, Kevin Raleigh
> <kraleigh@sbcglobal.net>
> > > wrote:
> > >
> > >> The following code seems to be failing. Can you check my logic?
> > >> I am using this //>> notation in the body of the code to indicate my
> > >> questions and
> > >> comments
> > >> $check = mysql_query("SELECT * FROM user WHERE id = '$userID'")or
> > >> die("query
> > >> failed!");
> > >
> > > What is in $userID? Try to echo the query before performing it.
> > >
> > >
> > >
> >
> > Remove the quotes from around $userID in the query... you don't need
> > them for numbers, only strings (generally speaking). And sanitize your
> > variables to prevent SQL Injections.
> >
> > Norm
>
>
Navigation:
[Reply to this message]
|