Posted by Sandman on 07/06/06 08:41

In article <1152097195.383533.289450@l70g2000cwa.googlegroups.com>,
"Dodger" <el.dodgero@gmail.com> wrote:

> > I've not used "mysqli", but doing the above in mysql:
> >
> > <?
> > $db = mysql_connect("host", "user", "password");
> >
> > $q = mysql_query("select * from cities where country = 'USA'");
> > while ($r = mysql_fetch_assoc()){
> > $cities[] = $r["city"];
> > }
> >
> > foreach ($cities as $city){
> > # Do stuff
> > }
> > ?>
>
> Well, I do need bind variables. In the non-mysqli example up there, the
> country is hardcoded into the statement. Even if I filled that in with
> a variable, what if it was a variable that was passed in by a user? It
> would be too easy to hack and would end up either potentially crippling
> things or with an arms race between me and some l33+ haxcsore wanker
> whi thinks he's clever.

If you're going to use a user-submitted value, it's going to be a
user-submitted value.

# ?country=USA's

$c = addslashes($_GET["country"]);

$q = mysql_query("select * from cities where country = '$c'");
while ($r = mysql_fetch_assoc()){
$cities[] = $r["city"];
}


--
Sandman[.net]

[Back to original message]