On Thu, Jul 16, 2009 at 11:01 AM, Andrew Ballard <aballard@xxxxxxxxx> wrote: > On Thu, Jul 16, 2009 at 9:33 AM, Miller, > Terion<tmiller@xxxxxxxxxxxxxxxxxxxx> wrote: > > > > Here is what finally worked: > > > > <?php $letter > = isset($_GET['letter']) ? $_GET['letter'] : "A"; > //alphabetical pagination links > echo '<div align="center"><b>'; > foreach(range('A','Z') as > $c){ ($letter == > $c) ? > printf('%s ',$c) > : printf('<a href="?letter=%s">%s</a> ',$c,$c); > } > echo "</b></div><p>"; > > //Show all restaurants that start with $letter > $sql = "SELECT * FROM restaurants WHERE name LIKE > '{$letter}%'"; > $result = mysql_query($sql) or die(mysql_error()); > while($row = mysql_fetch_assoc($result)){ > printf('<div > align="left" width="100"><b>%s</b><br>%s</br>%s</br></div><hr color=#000 > width=200></hr>',$row['name'],$row['address'],$result['cviolations']); > } > > ?> > > Thanks again everyone!! > > Terion, > > I hope that isn't your final answer. This has SQL injection written > all over it since you are neither validating that $letter is actually > a letter, nor are you escaping it before passing it off to MySQL. > > <?php > $letter = isset($_GET['letter']) ? $_GET['letter'] : 'A'; > > > if (!preg_match('/^[A-Z]$/i', $letter) { > $letter = 'A'; > /* > Rather than setting $letter to 'A' and continuing, > you could generate an error if you end up in here > so you can let the user know that what they passed > was invalid. > */ > > } > > > //.... > ?> > > In this case, it should be safe to use $letter directly in the query > without passing it through mysql_real_escape_string() since it should > only contain a single harmless alphanumeric letter, but it wouldn't > hurt (and may still be a good idea) to go ahead and escape the value > in the query anyway just in case something in your code changes later > that might cause some cruft to slip in. > > Andrew > My point of view: # i'll use constants for these values assert( ord('A') == 0x41 ); assert( ord('Z') == 0x5A ); # 1. get the ascii code of the 1st character or from A=0x41 $letter = ord( array_key_exists('letter', $_GET) ? strtoupper( $_GET['letter']{0} ) : 'A' ); # 2. different solutions # 2.a check if it is range ussing <= ussing constants (faster) $letter = chr( 0x41<= $letter && $letter <= 0x5A ? $letter : 0x41 ); # 2. different solutions # 2.b check if it is range min/max and with constants (faster) $letter = chr( min( max(0x41, $letter), 0x5A) ); I'd use the 2.b but this has different behaviour when $letter > Z (should this ever happen?) In the other hand I think it is the faster one. -- Martin Scotta