I agree and I am sorry I forgot a very basic security practice. You must always check any input from a user. Make sure that the user gives you a valid number and reject the request if it is anything out of your acceptable range or datatype. Otherwise a "bad" user could compromise your database or worse create havoc on your server.
hf0722x, what I was trying to help correct was a basic misunderstanding of how to create dynamic SQL statements with PHP. Stuart is struggling to understand 3 environments at once (MySQL, PHP, and Dreamweaver) and I wasn't even thinking about input validation. Thanks for the catch. Shawn Green Database Administrator Unimin Corporation - Spruce Pine news <[EMAIL PROTECTED]> wrote on 09/14/2004 05:08:00 AM: > In article <OFE319C366.FA3FA287-ON85256F0E.006E3CA7-85256F0E. > [EMAIL PROTECTED]>, > [EMAIL PROTECTED] writes: > > > Don't do an "@usrDays", just stick the number in there so that the > > statement you create looks exactly like the one you tested with. > > > If you get a "number" from a user from a form, just put that value into > > the string. For instance if the user enters 43 into a field on the first > > page, put 43 into the query. > > > Let's imagine that you get the value 43 into a variable (off of the > > request) called $daterange... > > and let's imagine that you build your query into a variable called $query > > > I think this is how you would build the correct query (my PHP is rusty): > > > $query = "SELECT DateEntry from Entry_table WHERE DateEntry >= > > DATE_SUB(CURDATE(), INTERVAL ". $daterange." day)"; > > > See? Pretend you are a typist and BUILD the string as you want it > > executed. Then do it. > > I think this is bad advice, even for a novice like Stuart, because it > is susceptible to SQL injection attacks. I don't know if PHP has > prepared statements like Perl DBI; if not, $daterange should either be > quoted or checked in PHP if it's really a number. > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] >
