[SGVLUG] A puzzling PHP / MySQL problem.

Emerson, Tom (*IC) Tom.Emerson at wbconsultant.com
Thu Feb 1 10:40:03 PST 2007


> -----Original Message----- Of Peter Fogg
> 
> Yes, see my post a little earlier today.

I think he meant the part where you actually MAKE the call, not where
you're still bulding the sub-strings of the query.  [hmm... Yup, he
posted that as I'm writing this...]

That said, I -DO- see a difference between the two points where you
build the where clause:

$whereString .= ' AND title LIKE \'%' .      $_REQUEST['title']  .
'%\''; 
$whereString =       'title LIKE \'%' . trim($_REQUEST['title']) .
'%\''; 
----------------------------------------^^^^----------------------------
-

Though, honestly, I don't see how this would matter as far as /syntax/
is concerned.

Since this is a "quoted string", and it appears this is also "user
input", are you guarding against "sql injection" attacks?  such as
someone entering the following as a website name to search for:

   asdf');DELETE FROM EVENTS;



More information about the SGVLUG mailing list