labiere Posted August 7, 2008 Share Posted August 7, 2008 Noob here. I haven't been able to find an example of this syntax, although it seems like it ought to be a common situation. I am passing a parameter to my page in the URL via a query string http://www.labiere.com?drink=beer I parse the parameter using $_GET: $drink = $_GET['drink']; Now I want to make a query to my SQL table where my condition is to grab the row that has $drink as the index. // Incorrect syntax $query = "SELECT * FROM table WHERE beverage=$drink"; Is this a syntax error, or do I instead have to select each row and check its value against $drink in a looped if statement? Quote Link to comment Share on other sites More sharing options...
SeanHarding Posted August 7, 2008 Share Posted August 7, 2008 $query = "SELECT * FROM table WHERE beverage='$drink'"; dont forget to ' ' your variable. Quote Link to comment Share on other sites More sharing options...
Johntron Posted August 7, 2008 Share Posted August 7, 2008 Looks good, but you still have to pass the resulting $query to mysql_query(). Your code still has a serious security vulnerability too though. It'd be really easy for someone to see things they shouldn't with a simple SQL injection. Quote Link to comment Share on other sites More sharing options...
labiere Posted August 7, 2008 Author Share Posted August 7, 2008 Your code still has a serious security vulnerability too though. It'd be really easy for someone to see things they shouldn't with a simple SQL injection. Can you point me to a topic thread or URL on this subject? Fortunately there is nothing sensitive in my DB on this site, but I would like to learn the best methods from the start. Quote Link to comment Share on other sites More sharing options...
SeanHarding Posted August 7, 2008 Share Posted August 7, 2008 Im guessing the best way to learn would be to try a book, but its always good to get a basic knowlege of how things work anyway. Just keep playing for now. I have found that to be the best way for me. You only realy have to worry about injection attacks if you have sensative information in your database like names addresses nuklear launch codes ect. But for now if you dont mind people looking through your test databases (or loosing them) just keep playing. Quote Link to comment Share on other sites More sharing options...
Johntron Posted August 7, 2008 Share Posted August 7, 2008 At the very least, use mysql_real_escape_string on any user input before inserting it into the database. http://us.php.net/manual/en/function.mysql-real-escape-string.php hackthissite.org is a good place to learn about SQL injections and more. Hands on hacking tutorials, woohoo! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.