On 18 August 2004 15:53, John Holmes wrote:
> Ford, Mike [LSS] wrote:
>
> > > $chkboxes = $_POST['ch'];
> > > $sql = 'SELECT ';
> > > foreach($chkboxes as $k => $v)
> > > {
> > > $sql .= $v;
> > > if($k < (sizeof($chkboxes) - 1))
> > > {
> > > $sql .= ', ';
> > > }
> > > }
> > > $sql .= ' FROM form';
> >
> >
> > $sql = 'SELECT ' . implode(', ', $chkboxes) . 'FROM form';
>
> Just note that with either solution, someone can post a value of "*
> FROM table WHERE 1#" and see everything in any table in your database.
I was waiting for someone to come in with a security warning, but knew that whoever it was would express it much better than I could ;) -- so, a gold medal to John!!
Cheers!
Mike
---------------------------------------------------------------------
Mike Ford, Electronic Information Services Adviser,
Learning Support Services, Learning & Information Services,
JG125, James Graham Building, Leeds Metropolitan University,
Headingley Campus, LEEDS, LS6 3QS, United Kingdom
Email: m.ford@xxxxxxxxxxxxxx
Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
