One question I still have...I had help with this script of course and I'm confused with the %s what does it do?
On 7/16/09 9:53 AM, "Martin Scotta" <martinscotta@xxxxxxxxx> wrote:
On Thu, Jul 16, 2009 at 11:01 AM, Andrew Ballard <aballard@xxxxxxxxx> wrote:
On Thu, Jul 16, 2009 at 9:33 AM, Miller,
Terion<tmiller@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> Here is what finally worked:
>
> <?php $letter = isset($_GET['letter']) ? $_GET['letter'] : "A"; //alphabetical pagination links echo '<div align="center"><b>'; foreach(range('A','Z') as $c){ ($letter == $c) ? printf('%s ',$c) : printf('<a href="?letter=%s">%s</a> ',$c,$c); } echo "</b></div><p>"; //Show all restaurants that start with $letter $sql = "SELECT * FROM restaurants WHERE name LIKE '{$letter}%'"; $result = mysql_query($sql) or die(mysql_error()); while($row = mysql_fetch_assoc($result)){ printf('<div align="left" width="100"><b>%s</b><br>%s</br>%s</br></div><hr color=#000 width=200></hr>',$row['name'],$row['address'],$result['cviolations']); } ?>
> Thanks again everyone!!
Terion,
I hope that isn't your final answer. This has SQL injection written
all over it since you are neither validating that $letter is actually
a letter, nor are you escaping it before passing it off to MySQL.
<?php
$letter = isset($_GET['letter']) ? $_GET['letter'] : 'A';
if (!preg_match('/^[A-Z]$/i', $letter) {
$letter = 'A';
/*
Rather than setting $letter to 'A' and continuing,
you could generate an error if you end up in here
so you can let the user know that what they passed
was invalid.
*/
}
//....
?>
In this case, it should be safe to use $letter directly in the query
without passing it through mysql_real_escape_string() since it should
only contain a single harmless alphanumeric letter, but it wouldn't
hurt (and may still be a good idea) to go ahead and escape the value
in the query anyway just in case something in your code changes later
that might cause some cruft to slip in.
Andrew
My point of view:
# i'll use constants for these values
assert( ord('A') == 0x41 );
assert( ord('Z') == 0x5A );
# 1. get the ascii code of the 1st character or from A=0x41
$letter = ord( array_key_exists('letter', $_GET) ? strtoupper( $_GET['letter']{0} ) : 'A' );
# 2. different solutions
# 2.a check if it is range ussing <= ussing constants (faster)
$letter = chr( 0x41<= $letter && $letter <= 0x5A ? $letter : 0x41 );
# 2. different solutions
# 2.b check if it is range min/max and with constants (faster)
$letter = chr( min( max(0x41, $letter), 0x5A) );
I'd use the 2.b but this has different behaviour when $letter > Z (should this ever happen?)
In the other hand I think it is the faster one.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
