Re: [PHP] Re: syntax question
None of the previous posts added any security...
They all ONLY provided different syntax to leave your database wide
open for abuse.
This is much safer:
$cat_name_sql = myqsl_real_escape_string($_POST['cat_name']);
$query = "insert into categories (category_name) values
('$cat_name_sql')";
You could/should also check for what you consider valid characters in
a 'cat_name'
if (!preg_match("|^[a-z0-9_ -]+$|i', $_POST['cat_name'])){
//tell the user their cat_name is invalid, and don't do the INSERT
}
On Mon, March 26, 2007 10:14 am, Ross wrote:
> thanks.
>
> ""Ross"" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
>> Can I put post values directly into insert statements?
>>
>> $query = "INSERT INTO categories (category_name) VALUES
>> ('$_POST['cat_name'])";
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: syntax question
thanks.
""Ross"" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Can I put post values directly into insert statements?
>
> $query = "INSERT INTO categories (category_name) VALUES
> ('$_POST['cat_name'])";
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: syntax question
By the way, beware of possibly buggy code:
strpos() will return 0 if the string begins with '-', but it will return
FALSE if '-' is not found in the string.
Since both 0 and FALSE will evaluate to boolean false in your condition, you
may get weird results.
Use this instead: (strpos($a, '-') !== FALSE) ?
"Jimmy" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> I'm looking through some existing code for a project I'm working on, but
> I keep running into this syntax that I really don't understand. Here's
> an example:
>
> $a=strpos($a,'-')?explode('-',$a,2):array($a);
>
> What do the ? and the : do here? I'm seeing this sort of thing all over
> and just have no idea what ? : do. Thanks.
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: syntax question - eregi()
Thank you. TR -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: syntax question - eregi()
If memory serves, $match will contain an array whose 0th element is the
entire string and whose 1st element contains whatever is matched in the
first (), 2nd element matches the second () and so on.
Check the manpage for more...
and when testing things like this out try adding the following for
debugging reasons:
print("");
print_r($match);
print("");
that will let you see what $match looks like in its entirety.
good luck
On Thu, 19 Sep 2002, Anthony Ritter wrote:
> I'm having difficulty understanding what the array does or refers to in the
> eregi() function using php.
>
> Listing below are returned strings with
> [0]
> [1]
> [2]
> ..
>
> $fp =fopen("C:\\TextFiles\\Test.htm","r");
> $content = fread($fp,10);
> eregi("(.*) $FinalLine=$match[2];
> echo "$FinalLine";
> ?>
> ...
>
> quick brown fox jumped over the lazy dog // output with $match[1]
> .
>
> quick brown fox jumped over the lazy dog.
> ..
>
> file://output is nothing with $match[2]
> ...
>
> Description:
> int eregi ( string pattern, string string [, array regs])
>
>
> Thank you.
> Tony Ritter
>
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
