Yes, but $sql is passed to the database, which has no understanding of 
$_GET. Will it take PHP that much longer to  make this assignment:
$criteria_integer = $_GET['criteria_integer'];

With the benefit that the SQL is much easier to read"
$sql = "SELECT * FROM tablename WHERE tablename.column='$criteria_integer' ";

Or maybe you need another layer of quotes, but I'd vote for clarity.

Miles Thompson

At 10:44 AM 1/10/2002 -0500, Erik Price wrote:
>I thought that $_GET[] and $_POST[] could be used in place of regular 
>variables... that is,
>
>$sql = "SELECT * FROM tablename WHERE 
>tablename.column=$_GET['criteria_integer']";
>
>but unfortunately, this isn't working.
>
>
>On Thursday, January 10, 2002, at 08:18  AM, Ford, Mike [LSS] wrote:
>
>>>-----Original Message-----
>>>From: Erik Price [mailto:[EMAIL PROTECTED]]
>>>Sent: 09 January 2002 19:22
>>>
>>>I'm trying to write my code in accordance with the PHP 4.1.0 security
>>>advisory -- that is, I want to use the $_GET and $_POST arrays when
>>>grabbing variables passed with GET and POST forms.  But how should I
>>>construct the variables for a "switch" statement?  I'm left confused,
>>>since these aren't written with the "$" prefix as most
>>>variables are...
>>
>>Err -- yes, they are!
>>
>>>Should it be:
>>>         case "_POST['insert']"
>>>
>>>or should it be:
>>>         case "$_POST['select']"
>>
>>What's wrong with:
>>
>>     case $_POST['insert']
>>
>>But, if you insist on the quotes, it needs to be:
>>
>>     case "{$_POST['insert']}"
>>
>>to ensure that the array index gets processed properly.
>>
>>Cheers!
>>
>>Mike
>>
>>---------------------------------------------------------------------
>>Mike Ford,  Electronic Information Services Adviser,
>>Learning Support Services, Learning & Information Services,
>>JG125, James Graham Building, Leeds Metropolitan University,
>>Beckett Park, LEEDS,  LS6 3QS,  United Kingdom
>>Email: [EMAIL PROTECTED]
>>Tel: +44 113 283 2600 extn 4730      Fax:  +44 113 283 3211
>
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>To contact the list administrators, e-mail: [EMAIL PROTECTED]


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to