|
|
Posted by J Wynia on 05/10/05 17:26
dracolytch@gmail.com wrote:
> Good day all,
> Ok, I have a pretty tricky problem that I need some help with.
>
> I pass around search query information a fair amount (specifically
> WHERE statements). Normally, I just rawurlencode() the buggers, and
> pass them via the URL. I like having the where clauses in the URL,
> because then someone can just bookmark the URL, or send it to a friend,
> and I don't have to worry about a thing.
>
1. You should probably do some reading on "SQL injection" and tread
very carefully. Having SQL in your request (even if you're parsing it)
is playing with fire.
2. You can accomplish the whole "bookmarkable URL" thing without
putting your SQL right on the URL.
Here's a way to do it. Cache the SQL statements that your script creates
from the search query to the filesystem. An easy way to do that is to
md5() the constructed SQL statement, create a file with that md5() value
and put the SQL statement into the file. Then, put query=md5string on
your URL's. When that parameter is present, check the filesystem for the
appropriate cached query and pull it in, using it instead of your
defaults. Quick sample snippets are below.
--------------
$sql = "SELECT * FROM table";
$cached_filename = md5($sql);
$filename = "cachedqueries/$cached_filename";
if (!$handle = fopen($filename, 'w')) {
die("Cannot open file $filename");
exit;
}
if (fwrite($handle, $sql) === FALSE) {
die("Cannot write file ($filename");
exit;
}
fclose($handle);
}
$url = "existingurl?query=$cached_filename;
-------------
$query = $_GET['query'];
$cached_query = "cachedqueries/$query";
if(file_exists($cached_query)){
$sql = file_get_contents($cached_query);
} else {
$sql = "SELECT * FROM table";
}
--------------------------------
J Wynia
Myriad Intellect, Inc.
"Web technology that earns its keep."
www.myriadintellect.com
Navigation:
[Reply to this message]
|