Yes, but $sql is passed to the database, which has no understanding of $_GET. Will it take PHP that much longer to make this assignment: $criteria_integer = $_GET['criteria_integer'];
With the benefit that the SQL is much easier to read" $sql = "SELECT * FROM tablename WHERE tablename.column='$criteria_integer' "; Or maybe you need another layer of quotes, but I'd vote for clarity. Miles Thompson At 10:44 AM 1/10/2002 -0500, Erik Price wrote: >I thought that $_GET[] and $_POST[] could be used in place of regular >variables... that is, > >$sql = "SELECT * FROM tablename WHERE >tablename.column=$_GET['criteria_integer']"; > >but unfortunately, this isn't working. > > >On Thursday, January 10, 2002, at 08:18 AM, Ford, Mike [LSS] wrote: > >>>-----Original Message----- >>>From: Erik Price [mailto:[EMAIL PROTECTED]] >>>Sent: 09 January 2002 19:22 >>> >>>I'm trying to write my code in accordance with the PHP 4.1.0 security >>>advisory -- that is, I want to use the $_GET and $_POST arrays when >>>grabbing variables passed with GET and POST forms. But how should I >>>construct the variables for a "switch" statement? I'm left confused, >>>since these aren't written with the "$" prefix as most >>>variables are... >> >>Err -- yes, they are! >> >>>Should it be: >>> case "_POST['insert']" >>> >>>or should it be: >>> case "$_POST['select']" >> >>What's wrong with: >> >> case $_POST['insert'] >> >>But, if you insist on the quotes, it needs to be: >> >> case "{$_POST['insert']}" >> >>to ensure that the array index gets processed properly. >> >>Cheers! >> >>Mike >> >>--------------------------------------------------------------------- >>Mike Ford, Electronic Information Services Adviser, >>Learning Support Services, Learning & Information Services, >>JG125, James Graham Building, Leeds Metropolitan University, >>Beckett Park, LEEDS, LS6 3QS, United Kingdom >>Email: [EMAIL PROTECTED] >>Tel: +44 113 283 2600 extn 4730 Fax: +44 113 283 3211 > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
