Make sure you filter $letter before using it in the query. Replace
$letter = $_GET["letter"] with this:
preg_match('/^[A-Z]/', $_GET["letter"], $matches);
$letter = $matches[0];
If you don't do this, someone could insert malicious SQL into the
$letter variable. This regular expression will match only one capital
letter at the beginning of the string $_GET["letter"].
-Joe
On May 22, 2009, at 3:23 AM, Sascha Meyer wrote:
Hi Bill,
I don't know if I got you right but I hope this will help:
[CODE]
<?php
$baseLink = "index.php?letter="; // Assuming your file name is
"index.php"; set up the base link for all pages
//alphabetical links
for($a=65;$a<(65+26);$a++){
print "<a href=\"".$baseLink.chr($a)."\">".chr($a)."</a>\n";
}
if (isset($_GET["letter"]) && $_GET["letter"] != ""){
$letter = $_GET["letter"];
$sql = "SELECT * FROM species WHERE [SPECIES_NAME] LIKE '".
$letter."%'"; // Replace [SPECIES_NAME] with your column name
$res = mysql_query($sql);
if ($res){
while ($row = mysql_fetch_row($res)){
// retrieve your row info
}
} else {
print "Failed retrieving data set, error was: ".mysql_error();
}
}
?>
[/CODE]
Enjoy,
Sascha
--
PHP Windows Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
