On Monday, September 1, 2014 8:29:35 AM UTC+8, Eric Eslinger wrote: > > This is what you'd call, strictly speaking, a php question. > > http://php.net/manual/en/reserved.variables.get.php > > $_GET is used for conditional rendering and whatnot in PHP. In the earlier > angular stuff, you construct a URL > thusly: ajax/updateTask.php?taskID="+item+"&status="+status > > and then that variable is directly inserted into your SQL call here: > > $query="select ID, TASK, STATUS from tasks where status like '$status' > order by status,id desc"; > > Which is pretty much asking for someone to ask for a task whose status is > 1';drop table tasks;-- or something like that. > > > > Eric > > > I don't think $_GET['status'] from gettask.php get its data from this line ajax/updateTask.php? taskID="+item+"&status="+status, cause in gettastk.php you can change $_GET['status'] into $_GET['statusxx'] and it will still work.
-- You received this message because you are subscribed to the Google Groups "AngularJS" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
