On Monday 06 October 2003 10:18, zxx10@cwru.edu wrote:
> I figured it out! The register_globals is turned
> off. To parse the id with this parameter off, I
> just need to judge whether $_GET["id"] is set or not. The problem is that I
> wrote the SQL statement as:
>
> $SQLstr="SELECT * FROM employees WHERE id=$_GET["id"]";
>
> That's a wrong one. To solve this, I do the
> following (a naive one):
> $tid=$_GET["id"];
> $SQLstr="SELECT * FROM employees WHERE id=$tid";
>
> And it's OK.
You can do something like:
$SQLstr="SELECT * FROM employees WHERE id={$_GET['id']}";
But for security you should always check the integrity of any input that you
receive from the user.
For example, in this case you should verify that $_GET['id'] is indeed an
integer and nothing else.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-db
------------------------------------------
/*
God grant me the senility to accept the things I cannot change,
The frustration to try to change things I cannot affect,
and the wisdom to tell the difference.
*/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
