Home > mailing lists

Re: PHP and PostgreSQL question on identifier limits. - Mailing list pgsql-general

From	Matteo Beccati
Subject	Re: PHP and PostgreSQL question on identifier limits.
Date	August 15, 2004 23:58:22
Msg-id	411FF892.2030007@beccati.com Whole thread Raw
In response to	PHP and PostgreSQL question on identifier limits. (Robert Paulsen <robert@paulsenonline.net>)
Responses	Re: PHP and PostgreSQL question on identifier limits. (Robert Paulsen <robert@paulsenonline.net>)
List	pgsql-general

Tree view

Hi,

> $_GET['sort'] && $_SESSION['sort']=$_GET['sort'];
> $sort=$_SESSION['sort'];
> $sort || $sort="field1";

First of all I don't feel very comfortable with this exotic syntax, but
this is not the right place to discuss about it ;)


> $query="SELECT
> field1 AS \"<a href=$PHP_SELF?sort=field1>field1</a>\",
> field2 AS \"<a href=$PHP_SELF?sort=field2>field2</a>\",
> field3 AS \"<a href=$PHP_SELF?sort=userid>field3</a>\"
> FROM my_table ORDER BY $sort";
>
> $tbl=new Table($query);
> $tbl->print();

Is there a good reason why you don't add hyperlinks inside your Table
class, instead than using column names for such a purpose?


P.S.
Handling column sorting like you're doing is a big security risk! I hope
you are doing some more checks on $sort, otherwise SQL injection attacks
would be very easy to do.


Best regards
--
Matteo Beccati
http://phpadsnew.com/
http://phppgads.com/

pgsql-general by date:

From: Mike Mascari
Date: 15 August 2004, 23:23:59
Subject: Re: PHP Postgre-MySql call redirector

From: Robert Paulsen
Date: 16 August 2004, 00:22:59
Subject: Re: PHP and PostgreSQL question on identifier limits.

Re: PHP and PostgreSQL question on identifier limits. - Mailing list pgsql-general

Previous

Next