Re: PHP and PostgreSQL question on identifier limits. - Mailing list pgsql-general

From Robert Paulsen
Subject Re: PHP and PostgreSQL question on identifier limits.
Date
Msg-id 200408151922.52723.robert@paulsenonline.net
Whole thread Raw
In response to Re: PHP and PostgreSQL question on identifier limits.  (Matteo Beccati <php@beccati.com>)
List pgsql-general
On Sunday 15 August 2004 06:58 pm, Matteo Beccati wrote:
> Hi,
>
> > $_GET['sort'] && $_SESSION['sort']=$_GET['sort'];
> > $sort=$_SESSION['sort'];
> > $sort || $sort="field1";
>
> First of all I don't feel very comfortable with this exotic syntax, but
> this is not the right place to discuss about it ;)
>

I guess "exotic" depends on your background.

> > $query="SELECT
> > field1 AS \"<a href=$PHP_SELF?sort=field1>field1</a>\",
> > field2 AS \"<a href=$PHP_SELF?sort=field2>field2</a>\",
> > field3 AS \"<a href=$PHP_SELF?sort=userid>field3</a>\"
> > FROM my_table ORDER BY $sort";
> >
> > $tbl=new Table($query);
> > $tbl->print();
>
> Is there a good reason why you don't add hyperlinks inside your Table
> class, instead than using column names for such a purpose?

That might be the best solution. This code has evolved from a time before I
was using classes. Used to be a simple function call. With classes I could
add the ability to assign links to the headers.

>
>
> P.S.
> Handling column sorting like you're doing is a big security risk! I hope
> you are doing some more checks on $sort, otherwise SQL injection attacks
> would be very easy to do.

Good point. Using your suggestion about implementing this inside the Table
class will make this easier to control.

--
Robert C. Paulsen, Jr.
robert@paulsenonline.net

pgsql-general by date:

Previous
From: Matteo Beccati
Date:
Subject: Re: PHP and PostgreSQL question on identifier limits.
Next
From: "Grant Allen"
Date:
Subject: Error codes to go with errors?