Yes. I'll do that. In this example, the only thing
that I can think about input checking is to use
is_int() function. Is there any other ways to do
the input checking?
Thanks.
Zhan Xu
EECS Department
Case Western Reserve University
----- Original Message -----
From: Jason Wong <php-db@gremlins.biz>
Date: Monday, October 6, 2003 8:13 am
Subject: Re: SoS
> On Monday 06 October 2003 10:18, zxx10@cwru.edu wrote:
>
> > I figured it out! The register_globals is turned
> > off. To parse the id with this parameter off, I
> > just need to judge whether $_GET["id"] is set or not. The problem
> is that I
> > wrote the SQL statement as:
> >
> > $SQLstr="SELECT * FROM employees WHERE id=$_GET["id"]";
> >
> > That's a wrong one. To solve this, I do the
> > following (a naive one):
> > $tid=$_GET["id"];
> > $SQLstr="SELECT * FROM employees WHERE id=$tid";
> >
> > And it's OK.
>
> You can do something like:
>
> $SQLstr="SELECT * FROM employees WHERE id={$_GET['id']}";
>
> But for security you should always check the integrity of any input
> that you
> receive from the user.
>
> For example, in this case you should verify that $_GET['id'] is
> indeed an
> integer and nothing else.
>
>
> --
> Jason Wong -> Gremlins Associates -> www.gremlins.biz
> Open Source Software Systems Integrators
> * Web Design & Hosting * Internet & Intranet Applications
> Development *
> ------------------------------------------
> Search the list archives before you post
> http://marc.theaimsgroup.com/?l=php-db
> ------------------------------------------
> /*
> God grant me the senility to accept the things I cannot change,
> The frustration to try to change things I cannot affect,
> and the wisdom to tell the difference.
> */
>
> --
> PHP Database Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
