On Thu, Jul 16, 2009 at 9:33 AM, Miller,Terion<tmiller@xxxxxxxxxxxxxxxxxxxx> wrote:>> Here is what finally worked:>> <?php $letter = isset($_GET['letter']) ? $_GET['letter'] : "A"; //alphabetical pagination links echo '<div align="center"><b>'; foreach(range('A','Z') as $c){ ($letter == $c) ? printf('%s ',$c) : printf('<a href="?letter=%s">%s</a> ',$c,$c); } echo "</b></div><p>"; //Show all restaurants that start with $letter $sql = "SELECT * FROM restaurants WHERE name LIKE '{$letter}%'"; $result = mysql_query($sql) or die(mysql_error()); while($row = mysql_fetch_assoc($result)){ printf('<div align="left" width="100"><b>%s</b><br>%s</br>%s</br></div><hr color=#000 width=200></hr>',$row['name'],$row['address'],$result['cviolations']); } ?>> Thanks again everyone!!
Terion,
I hope that isn't your final answer. This has SQL injection writtenall over it since you are neither validating that $letter is actuallya letter, nor are you escaping it before passing it off to MySQL.
<?php$letter = isset($_GET['letter']) ? $_GET['letter'] : 'A';
if (!preg_match('/^[A-Z]$/i', $letter) { $letter = 'A'; /* Rather than setting $letter to 'A' and continuing, you could generate an error if you end up in here so you can let the user know that what they passed was invalid. */
}
//....?>
In this case, it should be safe to use $letter directly in the querywithout passing it through mysql_real_escape_string() since it shouldonly contain a single harmless alphanumeric letter, but it wouldn'thurt (and may still be a good idea) to go ahead and escape the valuein the query anyway just in case something in your code changes laterthat might cause some cruft to slip in.
Andrew
