Richard Davey wrote:
<?
$connect = mysql_connect("", "", "")
or die("could not connect");
$db = mysql_select_db("")
or die("could not select db");
if (isset($HTTP_GET_VARS['projTitle']))
{
$SQLQuery = "SELECT * FROM project WHERE
projTitle = ".$HTTP_GET_VARS['projTitle']
or die("SQLQuery 1 failed");
}
else
{
$SQLQuery = "SELECT*FROM project ORDER BY projTitle"
or die("SQLQuery 2 failed");
}
$result = mysql_query($SQLQuery,$connect)
or die("couldn't set value of result");
There are various issues re: SQL injection and lack of filtering going
on here, but perhaps not best to dwell on those -just yet-, as long as
you are aware that your script is lacking in all forms of security?
Then you can address that once you've got it working.
Hi Richard
Think I've got everything more or less working now and need to look at
security issues. Thanks for the tip about SQL injection - had no idea
what this was, but googling it proved very interesting - scary stuff!
Could you direct me towards any good resources on general security with
php/mysql?
Thanks again
Paul.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
