|
|
Posted by Michael G on 09/08/05 01:52
"muldoonaz" <donot@spam.me.com> wrote in message
news:Q0JTe.296169$WN5.93062@fe02.news.easynews.com...
> Michael G wrote:
>> The following is from
>> http://php.mirrors.ilisys.com.au/manual/en/security.database.sql-injection.php .
>>
>> Would someone explain the following lines, in particular I don't
>> understand
>> '$paramArr[\'$1\']' nor do I understand how the syntax {1} works or how
>> it is related to arrays?
>>
>> Thanks, mIke.
>>
>> <some code snipped>
>> ...
>> return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']',
>> $queryString);
>> }
>>
>> $sqlQuery = 'SELECT col1, col2 FROM tab1 WHERE col1 = {1} AND col3 = {2}
>> LIMIT {3}';
>> $stm = mysql_query(prepareSQL($sqlQuery, array('username', 24.3, 20);
>> ?> ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet
>> News==----
>> http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
>> Newsgroups
>> ----= East and West-Coast Server Farms - Total Privacy via Encryption
>> =----
>
> look at the snippet of code and you'll find your answer. the $paramArr
> variable is passed with the calling of the function.
>
> you'd type the following into your script: prepareSQL("something",
> "here"); and "here" would become $paramArr.
>
Yeah, I understand that. In the OP, $paramArr is an array. I also now
understand that the author of this function uses regular expressions to do
the replacement.
> return preg_replace('/\{(.*?)\}/ei','$paramArr[\'$1\']', $queryString);
> }
>
But I still fail to understand how 'paramArr[\'$1\']' is mapped using $1 as
an index. I've tried printing paramArr['$1'] to see if I might gain some
understanding but to no avail.
Mike
----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
----= East and West-Coast Server Farms - Total Privacy via Encryption =----
[Back to original message]
|