Thomas,
I'm not sure what your point is. Please expand.
Ryan
Do you really see nothing wrong with announcing to all users that they can
run arbitrary SQL with your script?
well, the where clause in mysql is relativly safe, but suppose the user changes giftprint.php?passid=1&sort=WHERE thankyou='Not Sent' ORDER BY cash ASC to, say.. giftprint.php?passid=1&sort=OR 1, as the absolute most basic example. PHP no longer supports
sending multiple queries with one mysql_query to make this not as bad, but if you put SQL in the url or in a form, you are just begging to have it changed. At the very least have sort=cash. Idealy the query should look something like:
$sarr = array('name', 'event', 'description', 'cash', 'action', 'thankyou', );
$query = 'SELECT `name`, `event`, `description`, `cash`, `action`, `thankyou` FROM `gifts` WHERE customerID=' . intval($_GET['passid'] . ' ' . $sarr[intval($_GET['sort'])];
--
Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
