Posted by Ian Rastall on 06/28/05 23:58

On 28 Jun 2005 13:37:06 -0800, yf110@vtn1.victoria.tc.ca (Malcolm
Dew-Jones) wrote:

> $id = mysql_escape_string($_REQUEST[id]);
>
> $sql = "select * from the_table where ID='$id'";

Okay, I think I'm making progress. I changed:

<td><a href="<?php print
$_SERVER['PHP_SELF']."?album=".$row_rsDaevid['Album'];
?>">

to

<td><a href="<?php print
$_SERVER['PHP_SELF']."?album=".mysql_escape_string($row_rsDaevid['Album']);
?>">

which yields an escaped string in the final source code. The page
still doesn't work, though, meaning clicking on the album doesn't pop
up the info on the left. I think it's looking for "N\'existe Pas" in
the db and not finding it.

I looked up the PHP equivalent of "unescape", and found "urldecode",
which I tried to use at the point where it calls the album, at:

<h3><?php echo urldecode($row_rsDaevid['Album']); ?></h3>

but it didn't help. Didn't throw an error, either, but didn't help.
:-)

Am I on the right track here? Thanks for any help. The code, again, is
at:

http://www.gongfamily.net/code.txt

TIA

Ian
--
Was it not a comedy, a strange and stupid
matter, this repetition, this running around
in a fateful circle? (Hermann Hesse)
http://www.bookstacks.org/

[Back to original message]