Pancake

I'm guessing you mean... class someThing { public function someFunction() { /* */ return 'foo'; } } /* */ class anotherThing { protected $do; function __construct() { $this->do = new someThing(); } public function display() { echo $this->do->someFunction(); } } $a = new anotherThing(); $a->display();

"INSERT INTO ... WHERE username='". $_POST['username'] ."'" is the same as "INSERT INTO ... WHERE username="{$_POST['username']}"

Right-click the file first, and then give yourself premissions to edit it.

Ahh.. you have a good point there.. I've only been on this forum for so long

Examples - http://www.phpfreaks.com/forums/index.php/topic,177199.0.html - http://www.phpfreaks.com/forums/index.php/topic,177132.0.html (I'm assuming cpg_db_query doesn't auto-escape queries?)

I know how to escape them. I probably was not conveying my point very clearly. Lately, I've seen newer people post code that uses $_POST directly in their SQL statements, and I've seen almost nobody point it out. Anyway, best method (I think(: function escapeString($str) { if(get_magic_quotes_gpc()) $str = stripslashes($str) return mysql_real_escape_string($str); }

Is it just me, or is there nothing wrong with inserting $_POST and $_GET variables into SQL queries? I've seen a lot of: mysql_query("SELECT * FROM users WHERE username='" . $_POST['username'] ."'"); because can't a user send along: foo' OR 1=1 -- It seems like we are teaching new people to rely on Magic_quotes

http://en.wikibooks.org/wiki/Programming:PHP:SQL_Injection

is it just me, or is there nothing wrong with directly using a $_POST variable into an SQL query?

<?php setcookie("cartId", "", time() - 3600); ?> Should work just fine. even time()-1 should work. (I think)

And crafty users can change hidden form fields and disabled fields, so treat hidden/disabled fields as if they were not hidden/disabled

I like it because you can reuse the code very easily, AND it's extremely easy to pass variables between functions. For example: class myExample { var $num = 1; function add() { $this->num++; } function returnNum() { return $this->num; } } $example = new myExample(); $example->add(); echo $returnNum(); //Returns 2 $example->add(); $example->add(); $example->add(); echo $returnNum(); //Returns 5

??? $query = "UPDATE `news` SET `title` = '".$_POST['title']."', `description` ='".$_POST['description']."', `author` ='".$_POST['author']."' , `main_page` ='".$_POST['main_page_display']."' WHERE `id` ='".$_POST['id']."';" ; If it wasn't for magic_quotes_gpc, then that would mean bad news...

Sql Injections!!!

AAHHHH!!! SQL INJECTION!!!! try something like this: <?PHP $name = escapeString($_POST['name']); $email = escapeString($_POST['email']); $username = escapeString($_POST['username']); $password = escapeString(md5($_POST['password'])); // lets check to see if the username already exists $checkuser = mysql_query("SELECT username FROM users WHERE username='$username'"); $username_exist = mysql_num_rows($checkuser); /* Stuff removed to shorten post */ $query = "INSERT INTO users (name, email, username, password) VALUES('$name', '$email', '$username', '$password')"; mysql_query($query) or die(mysql_error()); /* Removed to shorten post */ function escapeString($str) { if(get_magic_quotes_gpc()) stripslashes($str); return mysql_real_escape_string($str); } ?>