Validation aside what’s the proper notation for using a $POST value (or any other array value) in this mysql query?
SELECT *
FROM table
WHERE addr = $POST['addr_clear']
Validation aside what’s the proper notation for using a $POST value (or any other array value) in this mysql query?
SELECT *
FROM table
WHERE addr = $POST['addr_clear']
$addr_clear = $_POST['addr_clear'];
$sql = "SELECT *
FROM TABLE
WHERE addr = '". $addr_clear ."'";
assuming you would use a POST value within a query without first validating but you already know that
That’s the way I’ve always done it; with a variable. I’m just trying to decide whether mysql allows a array’s index? If if it does, what’s the notation for using it? I thought I tried all the notation possibilities. Maybe not. I’d just like to know if it’s possible, what’s the correct notation. I understand it’s not best practice.
Just the same as if you were using a variable and escaping as I have done in the example.
The array index would work the same as the variable.
Gotcha.
Thanks.
Never use a $_POST variable for anything other than as input to a validation function.
It is the variable that contains the validated value that you would use in the actual processing (such as a database query).
If you don’t then all anyone need do is to enter an appropriate value in the field to get a dump of your entire database content.
All they’d need to do is to enter " or 1=1; drop table into $addr_clear to both dump the entire content of the table and then delete the entire table.