[SGVLUG] A puzzling PHP / MySQL problem.
Emerson, Tom (*IC)
Tom.Emerson at wbconsultant.com
Thu Feb 1 10:40:03 PST 2007
> -----Original Message----- Of Peter Fogg
>
> Yes, see my post a little earlier today.
I think he meant the part where you actually MAKE the call, not where
you're still bulding the sub-strings of the query. [hmm... Yup, he
posted that as I'm writing this...]
That said, I -DO- see a difference between the two points where you
build the where clause:
$whereString .= ' AND title LIKE \'%' . $_REQUEST['title'] .
'%\'';
$whereString = 'title LIKE \'%' . trim($_REQUEST['title']) .
'%\'';
----------------------------------------^^^^----------------------------
-
Though, honestly, I don't see how this would matter as far as /syntax/
is concerned.
Since this is a "quoted string", and it appears this is also "user
input", are you guarding against "sql injection" attacks? such as
someone entering the following as a website name to search for:
asdf');DELETE FROM EVENTS;
More information about the SGVLUG
mailing list