Re: [PHP] Dynamic DB query - form display
Hi Adrian, You can still use the text input, but you must ensure that the input is filtered first. There is a wealth of information on SQL injection and its prevention on the Internet. Try these for starters: http://shiflett.org/articles/security-corner-apr2004 http://dev.mysql.com/tech-resources/articles/guide-to-php-security-ch3.pdf Cheers, David Grant Adrian Bruce wrote: > > I'm aware it would be a security hole if it were available to all users, > but it's just for me at the mo, other users get a watered down version > with just check boxes. I basically want to allow flexible filtering of > a set of data but obviously this poses a few challenges, any ideas > always weclome! > > Thanks for the tip by the way, i ended up doing the following > > $field = stripslashes(htmlentities($field,ENT_QUOTES)); > > Adrian > > David Grant wrote: > >> Hi Adrian, >> >> This appears to be a security hole, but since that wasn't the reason for >> the question, please try: >> >> echo""; >> >> php.net/htmlentities >> >> Cheers, >> >> David Grant >> >> Adrian Bruce wrote: >> >> >>> Hi >>> >>> I am trying Dynamically creating a Query based on form input for an >>> intranet, i have a text input that allows a user to input part of a >>> where clause such as - not like '04%' - . this bit works fine but i >>> would like to display the clause back in the form field when the page >>> reloads. >>> $clause = "not like '04%'"; >>> echo""; >>> >>> Now obviously i hit a problem with the use of 'the quotation marks ' >>> ' and just see - not like \ - in the form field. I need to keep the ' >>> marks around the 04% for the query. Any ideas how i can do this?? >>> >>> Any help much appreciated! >>> >>> Adrian >>> >>> >> >> >> -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Dynamic DB query - form display
I'm aware it would be a security hole if it were available to all users, but it's just for me at the mo, other users get a watered down version with just check boxes. I basically want to allow flexible filtering of a set of data but obviously this poses a few challenges, any ideas always weclome! Thanks for the tip by the way, i ended up doing the following $field = stripslashes(htmlentities($field,ENT_QUOTES)); Adrian David Grant wrote: Hi Adrian, This appears to be a security hole, but since that wasn't the reason for the question, please try: echo""; php.net/htmlentities Cheers, David Grant Adrian Bruce wrote: Hi I am trying Dynamically creating a Query based on form input for an intranet, i have a text input that allows a user to input part of a where clause such as - not like '04%' - . this bit works fine but i would like to display the clause back in the form field when the page reloads. $clause = "not like '04%'"; echo""; Now obviously i hit a problem with the use of 'the quotation marks ' ' and just see - not like \ - in the form field. I need to keep the ' marks around the 04% for the query. Any ideas how i can do this?? Any help much appreciated! Adrian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Dynamic DB query - form display
Hi Adrian, This appears to be a security hole, but since that wasn't the reason for the question, please try: echo""; php.net/htmlentities Cheers, David Grant Adrian Bruce wrote: > Hi > > I am trying Dynamically creating a Query based on form input for an > intranet, i have a text input that allows a user to input part of a > where clause such as - not like '04%' - . this bit works fine but i > would like to display the clause back in the form field when the page > reloads. > $clause = "not like '04%'"; > echo""; > > Now obviously i hit a problem with the use of 'the quotation marks ' ' > and just see - not like \ - in the form field. I need to keep the ' > marks around the 04% for the query. Any ideas how i can do this?? > > Any help much appreciated! > > Adrian > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Dynamic DB query - form display
Hi I am trying Dynamically creating a Query based on form input for an intranet, i have a text input that allows a user to input part of a where clause such as - not like '04%' - . this bit works fine but i would like to display the clause back in the form field when the page reloads. $clause = "not like '04%'"; echo""; Now obviously i hit a problem with the use of 'the quotation marks ' ' and just see - not like \ - in the form field. I need to keep the ' marks around the 04% for the query. Any ideas how i can do this?? Any help much appreciated! Adrian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php