Posted by bokke on 10/26/06 16:17

Markus Ernst wrote:
> bokke schrieb:
> > Hi,
> >
> > I have a page with a link
> >
> > <a href="Contributor.php?action=&SubCat=<?php echo $row["writer"];
> > ?>"><?php echo $row["writer"];?></a>
> >
> > that does to a page with a SELECT
> >
> > $query = "SELECT * FROM news WHERE writer='$SubCat' ";
>
> You are sure register_globals is on? Anyway it is recommended to use
> $_GET['SubCat'].
>
> > But it is not pulling any data from the database. If I do this
> > $query = "SELECT * FROM news WHERE writer='Bob Smith' ";
> > works great??
> >
> > also
> > the ULR reads -
> > Contributor.php?action=&SubCat=Bob%20Smith
>
> So you have one record with 'Bob Smith' and another one with 'Bob%20Smith'?
>
> Some recommendations:
> - use urlencode() and urldecode() if you send GET data that could
> contain any characters beyond a-z, A-Z and 0-9
> - always pre-process transmitted data before putting them into the
> database; also google for "SQL injectin" and "E-mail injection"
> - regarding your HTML, use validator.w3.org to check it, and don't use a
> strict XHTML doctype if you don't write strict XHTML.
> - regarding posting, your message appears as a reply to an old thread in
> my newsreader - was that your intention?
>
> --
> Markus

Sorry - that was not my intention ...
as to your question - I only have a 'Bob Smith' but when the PHP looks
for it - it places %20 instead of the spaces i believe.

as to your other points - i'm looking them us as we speak.

thanks

[Back to original message]