nichemtktg — 2013-07-27T14:43:11-04:00 — #1
Validation aside what's the proper notation for using a $POST value (or any other array value) in this mysql query?
WHERE addr = $POST['addr_clear']
spikez — 2013-07-27T17:04:14-04:00 — #2
$addr_clear = $_POST['addr_clear'];
$sql = "SELECT *
WHERE addr = '". $addr_clear ."'";
assuming you would use a POST value within a query without first validating but you already know that
nichemtktg — 2013-07-27T17:20:13-04:00 — #3
That's the way I've always done it; with a variable. I'm just trying to decide whether mysql allows a array's index? If if it does, what's the notation for using it? I thought I tried all the notation possibilities. Maybe not. I'd just like to know if it's possible, what's the correct notation. I understand it's not best practice.
spikez — 2013-07-27T17:45:14-04:00 — #4
Just the same as if you were using a variable and escaping as I have done in the example.
The array index would work the same as the variable.
nichemtktg — 2013-07-27T18:03:48-04:00 — #5
felgall — 2013-07-27T19:49:48-04:00 — #6
Never use a $_POST variable for anything other than as input to a validation function.
It is the variable that contains the validated value that you would use in the actual processing (such as a database query).
If you don't then all anyone need do is to enter an appropriate value in the field to get a dump of your entire database content.
All they'd need to do is to enter " or 1=1; drop table into $addr_clear to both dump the entire content of the table and then delete the entire table.