SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Evangelist
    Join Date
    Jun 2010
    Posts
    453
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    notation for using a $POST value with WHERE

    Validation aside what's the proper notation for using a $POST value (or any other array value) in this mysql query?

    Code:
    SELECT * 	
    FROM table 
    WHERE addr =  $POST['addr_clear']

  2. #2
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,806
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    PHP Code:
    $addr_clear $_POST['addr_clear'];
    $sql "SELECT * 
    FROM TABLE
    WHERE addr = '"
    $addr_clear ."'"
    assuming you would use a POST value within a query without first validating but you already know that
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  3. #3
    SitePoint Evangelist
    Join Date
    Jun 2010
    Posts
    453
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    That's the way I've always done it; with a variable. I'm just trying to decide whether mysql allows a array's index? If if it does, what's the notation for using it? I thought I tried all the notation possibilities. Maybe not. I'd just like to know if it's possible, what's the correct notation. I understand it's not best practice.

  4. #4
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,806
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    Just the same as if you were using a variable and escaping as I have done in the example.
    The array index would work the same as the variable.
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  5. #5
    SitePoint Evangelist
    Join Date
    Jun 2010
    Posts
    453
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Gotcha.

    Thanks.

  6. #6
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,803
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Never use a $_POST variable for anything other than as input to a validation function.

    It is the variable that contains the validated value that you would use in the actual processing (such as a database query).

    If you don't then all anyone need do is to enter an appropriate value in the field to get a dump of your entire database content.

    All they'd need to do is to enter " or 1=1; drop table into $addr_clear to both dump the entire content of the table and then delete the entire table.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •