On Fri, August 10, 2007 9:43 am, Jason Pruim wrote: > I want to be able to sort that info so my sql query looks like: > "Select * from current order by '$order';" and $order is populated by > a GET when they click on a link: "<A href=index.php?order='Last'>Sort > by last name</A>" Now... the whole PHP page is being included in > a .shtml page to actually display it and make it look purrdee :) You probably don't want to slap the '$order' into your query for two reasons: #1. If $order comes directly from the GET (or POST or COOKIE) data, then it's untrusted, and should be filtered to be SURE it's not Evil. #2. Assuming you want to order by some kind of column name, you don't want the apostrophes on it. > How do I get it to resort the info and include the new sort on the > page? > > I'm not sure if this has anything to do with it but: > > $order = $_GET['order']; <------Line 6 > > [Fri Aug 10 10:42:04 2007] [error] PHP Notice: Undefined index: > order in /Volumes/RAIDer/webserver/Documents/tests/legion/index.php > on line 6 //default to lastname order: $order = isset($_GET['order']) ? $_GET['order'] : 'lastname'; > Any help will be greatly appreciated.. And if it solves the problem > I'll name some of my kids* after you! I'd be happier if you spent some time reading this: http://phpsec.org and then filtered your $order so that you KNOW it's valid: switch($order){ case 'lastname': case 'firstname': case 'age': case 'gender': //pass through valid $order break; default: error_log("Attempted hack of order: $order"); die("Invalid Sort Option"); break; } -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
