|
|
Posted by JackM on 09/27/31 11:44
Erwin Moller wrote:
> Geoff Berrow wrote:
>
>
>>Message-ID: <1144283421.2806.13.camel@localhost.localdomain> from Scott
>>contained the following:
>>
>>
>>>>$query = ("SELECT * FROM `table`");
>>>>$result = mysql_query($query);
>>>>
>>>>print "<p>Data for Selections:";
>>>>print "<table border=2><tr><th>You chose:";
>>>>
>>>
>>>Try this instead (notice the quotes around array keys):
>>>
>>>while($row = mysql_fetch_array($result)) {
>>>if(in_array(strval($row['ID']), $_POST['subm'])) {
>>
>>Alternatively, just get the rows you want from the database.
>>
>>$ids=implode(",",$_POST['subm']);
>>$query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
>>$result = mysql_query($query);
>>while($row = mysql_fetch_array($result)) {
>>//print rows
>>}
>
>
> Just a security remark:
>
> Is this approach safe for SQL-injection?
> Bad guys might send other stuff in the subm-array than numbers...
>
> I am always better safe than sorry, and loop over the results, parse them,
> and then feed them to the query.
>
> Something like this:
> $id = array();
> foreach($_POST["subm"] as $oneNum){
> $id[] = (int)$oneNum;
> }
> $ids = implode(",",$id);
> $query = "SELECT * FROM `table` WHERE `ID` IN ($ids)";
> etc..
>
> A little bit slower probably, but at least the $id[] and the corresponding
> $ids string contains only numbers.
Just a question on this way to further my own learning process. Does the
fact that the $_POST['subm'] array is dynamically done on the previous
page prevent one from using it for injection? It's not something that
requires a user to fill in any text info for. It's only a checkbox that
gets checked.
Incidentally, thanks to Scott and Geoff for their solutions. I used
Scott's as I saw it first, tried it and it works just fine. Much obliged
to both of you and to Erwin as well for the assistance.
[Back to original message]
|