>
> Could you direct me towards any good resources on general security with
> php/mysql?
>
http://phpsec.org/library/
Make sure to read these:
- data filtering
- sql injection
. . .and all the others in time. =)
Richard Davey wrote:
There are various issues re: SQL injection and lack of filtering going
on here, but perhaps not best to dwell on those -just yet-, as long as
you are aware that your script is lacking in all forms of security?
Then you can address that once you've got it working
EMAIL PROTECTED]
> Sent: Friday, December 16, 2005 8:21 AM
> Cc: php-general@lists.php.net
> Subject: Re: [PHP] PHP/MySQL noob rides again.. into trouble
>
> David Grant wrote:
>
> > $SQLQuery = "SELECT * FROM project WHERE projTitle = '" .
> > $HTTP_GET_
Paul,
Paul Jinks wrote:
> David Grant wrote:
>> $SQLQuery = "SELECT * FROM project WHERE projTitle = '" .
>> $HTTP_GET_VARS['projTitle'] . "'";
>
> Yep, that fixed it. Thanks. I had a feeling there was a mix up with the
> "s and 's. What's with the . s?
The . is a concatenation operator, i.e. i
Richard Davey wrote:
($HTTP_GET_VARS), because lots do not. I would suggest replacing
$HTTP_GET_VARS with $_GET (in all instances), because the long format
will eventually vanish and your script will cease to work.
Cheers Rich, will sort this out.
I assume you removed the MySQL details t
David Grant wrote:
$SQLQuery = "SELECT * FROM project WHERE projTitle = '" .
$HTTP_GET_VARS['projTitle'] . "'";
Yep, that fixed it. Thanks. I had a feeling there was a mix up with the
"s and 's. What's with the . s?
Not sure why you've got the or die() there.
I had the idea that you cou
On 16 Dec 2005, at 12:30, Paul Jinks wrote:
I have a site where users can search study projects. I'd like to be
able to clicks on a project title which passes a variable to this
page, which then displays all the data on that project in a table.
Cool - and to a noob like me, actually pretty
Paul Jinks wrote:
> $SQLQuery = "SELECT * FROM project WHERE
> projTitle = ".$HTTP_GET_VARS['projTitle']
> or die("SQLQuery 1 failed");
$SQLQuery = "SELECT * FROM project WHERE projTitle = '" .
$HTTP_GET_VARS['projTitle'] . "'";
Not sure why you've got the or die()
Hi all,
I have a site where users can search study projects. I'd like to be able
to clicks on a project title which passes a variable to this page, which
then displays all the data on that project in a table. Cool - and to a
noob like me, actually pretty exciting. Except it doesn't work.
I g
9 matches
Mail list logo
