little error
-list($id) = mysql_fetch_row(mysql_query("SELECT uid FROM users WHERE
+list($uid) = mysql_fetch_row(mysql_query("SELECT uid FROM users WHERE
Majk
-----Ursprüngliche Nachricht-----
Von: [email protected] [mailto:[email protected]]
Gesendet: Freitag, 4. September 2009 13:00
An: [email protected]; [email protected]
Betreff: AW: a better way, code technique?
You should escape $username before passing it to mysql if its user
submitted data ... sql-injection
one/two liner: but error prone!
$un = mysql_real_escape_string($username);
list($id) = mysql_fetch_row(mysql_query("SELECT uid FROM users WHERE
username='{$un}'");
better would be
$result = mysql_query...
if (!$result)
die("error: ".mysql_error());
list($uid) = mysql_fetch_row($result);
if (!$uid)
die("no user with {$uname} found!");
do something with $uid
Majk
-----Ursprüngliche Nachricht-----
Von: AndrewJames [mailto:[email protected]]
Gesendet: Freitag, 4. September 2009 12:52
An: [email protected]
Betreff: a better way, code technique?
is there a better way (hopefully simpler) to code this?
i want to get the user id of the logged in user to use in my next statement.
$q1 = sprintf("SELECT uid FROM users WHERE users.username='$username'");
$result1 = mysql_query($q1);
$uid = mysql_fetch_array($result1);
$u = $uid['uid'];
it seems like a long way around to get 1 bit of data??
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[email protected]
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[email protected]
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[email protected]
