Re: [PHP] PHP/MySQL noob rides again.. into trouble

2005-12-19 Thread Eric Butera
> > Could you direct me towards any good resources on general security with > php/mysql? > http://phpsec.org/library/ Make sure to read these: - data filtering - sql injection . . .and all the others in time. =)

Re: [PHP] PHP/MySQL noob rides again.. into trouble

2005-12-18 Thread Paul Jinks
Richard Davey wrote: There are various issues re: SQL injection and lack of filtering going on here, but perhaps not best to dwell on those -just yet-, as long as you are aware that your script is lacking in all forms of security? Then you can address that once you've got it working

RE: [PHP] PHP/MySQL noob rides again.. into trouble

2005-12-16 Thread Kilbride, James
EMAIL PROTECTED] > Sent: Friday, December 16, 2005 8:21 AM > Cc: php-general@lists.php.net > Subject: Re: [PHP] PHP/MySQL noob rides again.. into trouble > > David Grant wrote: > > > $SQLQuery = "SELECT * FROM project WHERE projTitle = '" . > > $HTTP_GET_

Re: [PHP] PHP/MySQL noob rides again.. into trouble

2005-12-16 Thread David Grant
Paul, Paul Jinks wrote: > David Grant wrote: >> $SQLQuery = "SELECT * FROM project WHERE projTitle = '" . >> $HTTP_GET_VARS['projTitle'] . "'"; > > Yep, that fixed it. Thanks. I had a feeling there was a mix up with the > "s and 's. What's with the . s? The . is a concatenation operator, i.e. i

Re: [PHP] PHP/MySQL noob rides again.. into trouble

2005-12-16 Thread Paul Jinks
Richard Davey wrote: ($HTTP_GET_VARS), because lots do not. I would suggest replacing $HTTP_GET_VARS with $_GET (in all instances), because the long format will eventually vanish and your script will cease to work. Cheers Rich, will sort this out. I assume you removed the MySQL details t

Re: [PHP] PHP/MySQL noob rides again.. into trouble

2005-12-16 Thread Paul Jinks
David Grant wrote: $SQLQuery = "SELECT * FROM project WHERE projTitle = '" . $HTTP_GET_VARS['projTitle'] . "'"; Yep, that fixed it. Thanks. I had a feeling there was a mix up with the "s and 's. What's with the . s? Not sure why you've got the or die() there. I had the idea that you cou

Re: [PHP] PHP/MySQL noob rides again.. into trouble

2005-12-16 Thread Richard Davey
On 16 Dec 2005, at 12:30, Paul Jinks wrote: I have a site where users can search study projects. I'd like to be able to clicks on a project title which passes a variable to this page, which then displays all the data on that project in a table. Cool - and to a noob like me, actually pretty

Re: [PHP] PHP/MySQL noob rides again.. into trouble

2005-12-16 Thread David Grant
Paul Jinks wrote: > $SQLQuery = "SELECT * FROM project WHERE > projTitle = ".$HTTP_GET_VARS['projTitle'] > or die("SQLQuery 1 failed"); $SQLQuery = "SELECT * FROM project WHERE projTitle = '" . $HTTP_GET_VARS['projTitle'] . "'"; Not sure why you've got the or die()