|
Posted by Jim Michaels on 02/11/06 23:19
"Pedro Graca" <hexkid@dodgeit.com> wrote in message
news:slrndu6u8v.613.hexkid@ID-203069.user.individual.net...
> JT wrote:
>> I am working on a basic webpage in PHP connecting to a mySQL database,
>> here is my query...
>>
>> //query 1
>> $query_rs_staff = "SELECT * FROM jtStaff WHERE
>> locationID=".$_GET['myDesk'];
>
> Have you thoroughly sanitized $_GET['myDesk']?
> Someone could tweak it to "1 or 42=42" giving strange results for the
> following query.
>
>> $rs_staff = mysql_query($query_rs_staff);
>> $row_rs_staff = mysql_fetch_assoc($rs_staff);
>>
>>
>> //query 2
>> $query_rs_section = "SELECT * FROM jtSection WHERE
>> sectionID=$row_rs_staff['sectionID']";
>> $rs_section = mysql_query($query_rs_section);
>> $row_rs_ssection = mysql_fetch_assoc($rs_section);
>> ?>
>>
>>
>> I had it working with query 1. then I added query 2 to get from another
>> table, some additional data. So i have no problems with query 1. When
>> ran thru my server, it throws back a parse error on line 20, which is
>> the first line of query 2. can someone tell me the correct syntax for
>> what i am trying to do here?
or you can do it like this:
$query_rs_section = "SELECT * FROM jtSection WHERE
sectionID=$row_rs_staff[sectionID]";
whatever suits your fancy.
> ### ______^__________________________^_
>
> --
> If you're posting through Google read <http://cfaj.freeshell.org/google>
Navigation:
[Reply to this message]
|