Posted by Paul Jinks on 12/18/05 22:37

Richard Davey wrote:

>> <?
>> $connect = mysql_connect("", "", "")
>> or die("could not connect");
>> $db = mysql_select_db("")
>> or die("could not select db");
>> if (isset($HTTP_GET_VARS['projTitle']))
>> {
>> $SQLQuery = "SELECT * FROM project WHERE
>> projTitle = ".$HTTP_GET_VARS['projTitle']
>> or die("SQLQuery 1 failed");
>> }
>> else
>> {
>> $SQLQuery = "SELECT*FROM project ORDER BY projTitle"
>> or die("SQLQuery 2 failed");
>> }
>> $result = mysql_query($SQLQuery,$connect)
>> or die("couldn't set value of result");
>>

> There are various issues re: SQL injection and lack of filtering going
> on here, but perhaps not best to dwell on those -just yet-, as long as
> you are aware that your script is lacking in all forms of security?
> Then you can address that once you've got it working.
>

Hi Richard

Think I've got everything more or less working now and need to look at
security issues. Thanks for the tip about SQL injection - had no idea
what this was, but googling it proved very interesting - scary stuff!

Could you direct me towards any good resources on general security with
php/mysql?

Thanks again

Paul.

• Next in forum: Re: Fw: [PHP] Load from db into <select>-list
• Prev in forum: Fw: [PHP] Load from db into <select>-list
• Thread view: Re: [PHP] PHP/MySQL noob rides again.. into trouble

[Reply to this message]