RE: Looking for help with forms/variables and an array!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I, I, sir!
I changed it back!

:o)

Point noted!

-----Original Message-----
From: Robert Cummings [mailto:robert@xxxxxxxxxxxxx] 
Sent: Tuesday, June 12, 2007 1:24 PM
To: BSumrall
Cc: php-general@xxxxxxxxxxxxx
Subject: RE:  Looking for help with forms/variables and an array!

On Tue, 2007-06-12 at 13:02 -0400, BSumrall wrote:
> The purpose for register_globals is for testing and functionality purposes
> only.
> Every single example on the internet is for register_globals = on.

That's no excuse... and you're wrong.

> I am very aware of the security risk of it.

Ok... and magic_quotes? You don't seem to be escaping your data that
goes into the query either. You don't seem very "aware of the security
risk".

> Get it working and then change it back. There is plenty of literature on
how
> to edit existing working code once you disable it.

Why do it twice? Why risk forgetting something after the fact? Coding
securely requires that you practice coding securely and not just hope
you can apply a coat of armorall afterwards.

> Just working with the tools I have!

The same tools I have, if not then you have more.

> As far as _tbl instead of table, I picked that one up in the military,
just
> a preference.
> 
> As far as the brackets, I tried with or without;
> price_range='[$select1]'";
> price_range='$select1'";
> price_range=select1";
> 
> All the same miserable error!
> 
> Any suggestions on how to get select1 -> price_range=		would truly
> be appreciated, and if your suggestion it more secure than what I am
working
> with. This would be the icing on the cake!

I gave you an example at the bottom of my post. Are you passing the
$query string directly to the mysql_query() function? Maybe do the
following just before running the query:

    echo $query."\n";

Then check it to see that it's what you expect.

Cheers,
Rob.
-- 
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux