> Minor note: it should be $_SERVER['QUERY_STRING']. I realized that after I sent, but it actually runs either way. > Accepting user input without validation opens up your application to potential > abuse. True. All a user would need to do is change the query string to get a different result. However, given that there is no "critical" info in the DB, I'm not terribly worried, but it remains a valid point. > What kind of scalability? If you mean the ability to handle any number of > fields then you need to come up with some code which basically: ... > 3) parses the query string and only accepts fields defined in (1) and passes > the checks defined in (2) I hadn't thought of handling things that way. Perhaps my initial instinct wasn't as poor as I believed. Thanks for all your help. Edward Dudlik Becoming Digital www.becomingdigital.com ----- Original Message ----- From: "Jason Wong" <php-db@gremlins.biz> To: <php-db@lists.php.net> Sent: Tuesday, 27 May, 2003 06:00 Subject: Re: Passing data between pages On Tuesday 27 May 2003 17:23, Becoming Digital wrote: > I suppose there is nothing inherently wrong with it, just a seeming lack of > elegance. The link is intended to pass information (cat_id) to a query on > the next page, thus deciding from which category items should be listed. > > Thinking about it further, I do have a third option. I realized that I can > simply append the query to read: > > $query = "SELECT * FROM food WHERE ".$_SERVER[QUERY_STRING]; Minor note: it should be $_SERVER['QUERY_STRING']. > What are your opinions on that option? Accepting user input without validation opens up your application to potential abuse. > I am not terribly fond of it > because it allows for no scalability. I am a big believer in developing > re-usable code and this example seems quite limited. Thanks again. What kind of scalability? If you mean the ability to handle any number of fields then you need to come up with some code which basically: 1) defines which fields to accept 2) defines limits on those fields (whether they're integers/strings/whatever/etc) 3) parses the query string and only accepts fields defined in (1) and passes the checks defined in (2) -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-db ------------------------------------------ /* It is easier to resist at the beginning than at the end. -- Leonardo da Vinci */ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
