[SGVLUG] A puzzling PHP / MySQL problem.
Peter Fogg
peter.fogg at sbcglobal.net
Thu Feb 1 11:01:15 PST 2007
Not yet, but I will before the site goes live!! Thanks for the
reminder. Also, I just posted more code for your consideration.
Peter -
On Feb 1, 2007, at 10:40 AM, Emerson, Tom (*IC) wrote:
>> -----Original Message----- Of Peter Fogg
>>
>> Yes, see my post a little earlier today.
>
> I think he meant the part where you actually MAKE the call, not where
> you're still bulding the sub-strings of the query. [hmm... Yup, he
> posted that as I'm writing this...]
>
> That said, I -DO- see a difference between the two points where you
> build the where clause:
>
> $whereString .= ' AND title LIKE \'%' . $_REQUEST['title'] .
> '%\'';
> $whereString = 'title LIKE \'%' . trim($_REQUEST['title']) .
> '%\'';
> ----------------------------------------
> ^^^^----------------------------
> -
>
> Though, honestly, I don't see how this would matter as far as /syntax/
> is concerned.
>
> Since this is a "quoted string", and it appears this is also "user
> input", are you guarding against "sql injection" attacks? such as
> someone entering the following as a website name to search for:
>
> asdf');DELETE FROM EVENTS;
>
More information about the SGVLUG
mailing list