Oh, right, thanks!
----- Original Message ----- From: "Rasmus Lerdorf" <[EMAIL PROTECTED]> To: "Stephen" <[EMAIL PROTECTED]> Sent: Sunday, November 17, 2002 4:05 PM Subject: Re: [PHP] Protecting Queries > No, like I said, since you set $query in your script, whatever the user > passes in is overwritten. > > On Sun, 17 Nov 2002, Stephen wrote: > > > What I meant was something like this: > > > > The user types in the URL http://myplace/script.php?query=DELTE * FROM > > table WHERE id=1. > > The query is overwritten and the section is deleted... > > > > Is that possible? > > > > > > ----- Original Message ----- > > From: "Rasmus Lerdorf" <[EMAIL PROTECTED]> > > To: "Stephen" <[EMAIL PROTECTED]> > > Cc: "PHP List" <[EMAIL PROTECTED]> > > Sent: Sunday, November 17, 2002 3:46 PM > > Subject: Re: [PHP] Protecting Queries > > > > > > > No, that it fine. User-supplied data can not override a variable defined > > > directly in your script like that regardless of the register_globals > > > setting. > > > > > > -Rasmus > > > > > > On Sun, 17 Nov 2002, Stephen wrote: > > > > > > > Since day one of me doing MySQL stuff in PHP, I've always set up my > > query as a variable then put it into the query function such as this: > > > > > > > > $query = "SELECT * FROM bobstuff WHERE id='1'"; > > > > $result = mysql_query($query, $connection); > > > > > > > > I've just come aware of the security risks of this. How could I make it > > so the $query variable isn't editable from the URL? Should I turn > > register_globals off? > > > > > > > > Thanks, > > > > Stephen Craton > > > > http://www.melchior.us > > > > > > > > "Life is a gift from God. Wasting it is like destroying a gift you got > > from the person you love most." -- http://www.melchior.us > > > > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
