|
Posted by Paul Jinks on 12/18/05 22:37
Richard Davey wrote:
>> <?
>> $connect = mysql_connect("", "", "")
>> or die("could not connect");
>> $db = mysql_select_db("")
>> or die("could not select db");
>> if (isset($HTTP_GET_VARS['projTitle']))
>> {
>> $SQLQuery = "SELECT * FROM project WHERE
>> projTitle = ".$HTTP_GET_VARS['projTitle']
>> or die("SQLQuery 1 failed");
>> }
>> else
>> {
>> $SQLQuery = "SELECT*FROM project ORDER BY projTitle"
>> or die("SQLQuery 2 failed");
>> }
>> $result = mysql_query($SQLQuery,$connect)
>> or die("couldn't set value of result");
>>
> There are various issues re: SQL injection and lack of filtering going
> on here, but perhaps not best to dwell on those -just yet-, as long as
> you are aware that your script is lacking in all forms of security?
> Then you can address that once you've got it working.
>
Hi Richard
Think I've got everything more or less working now and need to look at
security issues. Thanks for the tip about SQL injection - had no idea
what this was, but googling it proved very interesting - scary stuff!
Could you direct me towards any good resources on general security with
php/mysql?
Thanks again
Paul.
[Back to original message]
|