NYCPHP Meetup

NYPHP.org

Thanks Carlos

Matthew Zimmerman mz34 at nyu.edu
Wed Sep 11 15:11:25 EDT 2002 

I am quite new to all of this so this advice has been great.

Matt

On Wednesday, September 11, 2002, at 02:50  PM, Carlos A Hoyos wrote:

>
> 1- It's a good idea to use alias in the query to make it easier to 
> read:
>
> $query= "SELECT images.id as imageid, format.id as formatid, 
> format.name as
> formatname
> FROM images, format
> WHERE images.id=$id";  /* $id is a passed from a from*/
>
> 2- If you use extract, variables $imageid, $formatid and $formatname 
> will
> have the expected values. You can also use
> $row["imageid"], $row["formatid"] and $row["formatname"], without 
> having to
> use extract.
>
> 3- Just a side note: If you're building the query out of data received 
> from
> the outside, take necessary precautions validating it, as well as 
> handling
> any errors in case the resulting query is bad/empty.
>
> One backdoor to hack pages, for example, is to craft a URL to your page
> passing
> $id= "3; delete from mysql.user where 1=1" . If executed, this query 
> could
> do some damage to your db.
>
>
>
>
>
>
>                       Matthew Zimmerman
>                       <mz34 at nyu.edu>           To:       NYPHP Talk 
> <talk at nyphp.org>
>                                                cc:
>                       09/11/2002 01:25         Subject:  [nycphp-talk] 
> Printing from arrays.
>                       PM
>                       Please respond to
>                       talk
>
>
>
>
>
> Hello,
>
> Sorry if this is a RTFM question, but this list has been such a great
> resource I wanted to start here.
>
> Just a question about printing from an array using PHP/MySQL
>
> My real database and code is a little more complex then this, but to
> illustrate my problem let me say
>
> 1. I have two tables: "images" and "format". They each have two fields
> "id" and "name".
>
> 2. I have a query that says
>
> $query= "SELECT images.id, format.id, format.name
> FROM images, format
> WHERE images.id=$id";  /* $id is a passed from a from*/
>
> 3. Then I assign the results to an array using
>
> $result= mysql_query($query);
>
> while ($row=mysql_fetch_array($result)
>
>              {
>                          extract($row);
>
>              }
>
> 4. Then I want to print the results which I would think would go like
> this:
>
> echo "$images.id, $format.id, $format.name";
>
> But it seems these are not the keys in the array, but instead there is
> just one $id key and the value of that is whatever "id" came last in
> the query. In other words, if the query read "Select format.id,
> images.id" then there would be a value in the array for $id equal to
> "images.id" and if query read "Select images.id, format.id" then there
> would be a value in the array for the key $id equal to "format_id".
>
> I expected there would be two keys in the array: images.id and 
> format.id
>
> Am I wrong to expect that?
>
> Thanks for any help. I am new to PHP and databases and this code I am
> using I got from a book, so maybe it is the wrong technique.
>
>
> Matt Zimmerman
> NYU
>
>
>
>
>
>
>
>
>
>
>
>
>
> --- Unsubscribe at http://nyphp.org/list ---
>
>

More information about the talk mailing list