|
|
Posted by David Grant on 11/18/05 12:54
Hi Adrian,
You can still use the text input, but you must ensure that the input is
filtered first. There is a wealth of information on SQL injection and
its prevention on the Internet. Try these for starters:
http://shiflett.org/articles/security-corner-apr2004
http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf
Cheers,
David Grant
Adrian Bruce wrote:
>
> I'm aware it would be a security hole if it were available to all users,
> but it's just for me at the mo, other users get a watered down version
> with just check boxes. I basically want to allow flexible filtering of
> a set of data but obviously this poses a few challenges, any ideas
> always weclome!
>
> Thanks for the tip by the way, i ended up doing the following
>
> $field = stripslashes(htmlentities($field,ENT_QUOTES));
>
> Adrian
>
> David Grant wrote:
>
>> Hi Adrian,
>>
>> This appears to be a security hole, but since that wasn't the reason for
>> the question, please try:
>>
>> echo"<input type='text' value='" . htmlentities($clause, ENT_QUOTES) .
>> "'>";
>>
>> php.net/htmlentities
>>
>> Cheers,
>>
>> David Grant
>>
>> Adrian Bruce wrote:
>>
>>
>>> Hi
>>>
>>> I am trying Dynamically creating a Query based on form input for an
>>> intranet, i have a text input that allows a user to input part of a
>>> where clause such as - not like '04%' - . this bit works fine but i
>>> would like to display the clause back in the form field when the page
>>> reloads.
>>> $clause = "not like '04%'";
>>> echo"<input type='text' value='$clause'>";
>>>
>>> Now obviously i hit a problem with the use of 'the quotation marks '
>>> ' and just see - not like \ - in the form field. I need to keep the '
>>> marks around the 04% for the query. Any ideas how i can do this??
>>>
>>> Any help much appreciated!
>>>
>>> Adrian
>>>
>>>
>>
>>
>>
Navigation:
[Reply to this message]
|