|
|
Posted by Erwin Moller on 04/06/06 15:56
Geoff Berrow wrote:
> Message-ID: <1144283421.2806.13.camel@localhost.localdomain> from Scott
> contained the following:
>
>>> $query = ("SELECT * FROM `table`");
>>> $result = mysql_query($query);
>>>
>>> print "<p>Data for Selections:";
>>> print "<table border=2><tr><th>You chose:";
>>>
>>
>>Try this instead (notice the quotes around array keys):
>>
>>while($row = mysql_fetch_array($result)) {
>> if(in_array(strval($row['ID']), $_POST['subm'])) {
>
> Alternatively, just get the rows you want from the database.
>
> $ids=implode(",",$_POST['subm']);
> $query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
> $result = mysql_query($query);
> while($row = mysql_fetch_array($result)) {
> //print rows
> }
Just a security remark:
Is this approach safe for SQL-injection?
Bad guys might send other stuff in the subm-array than numbers...
I am always better safe than sorry, and loop over the results, parse them,
and then feed them to the query.
Something like this:
$id = array();
foreach($_POST["subm"] as $oneNum){
$id[] = (int)$oneNum;
}
$ids = implode(",",$id);
$query = "SELECT * FROM `table` WHERE `ID` IN ($ids)";
etc..
A little bit slower probably, but at least the $id[] and the corresponding
$ids string contains only numbers.
Regards,
Erwin Moller
[Back to original message]
|