|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Kenneth van Grinsven (kenneth
VANGRINSVEN.COM)Date: Tue Feb 20 2001 - 14:20:09 CST
> > Half-assed workaround. The correct fix is to modify the call to
> $dbh->prepare() as follows:
> > > $sth = $dbh->prepare("SELECT * FROM login WHERE pid='$mycookpid' &&
agent='$agent' ORDER BY stime DESC");
> > $sth = $dbh->prepare("SELECT * FROM login WHERE pid=" .
> $dbh->quote($mycookpid) .
> " && agent =" .
> $dbh->quote($agent) .
> " ORDER BY stime DESC");
Actually the safe way would be to:
$sth = $dbh->prepare("SELECT * FROM login WHERE pid = ? AND agent = ? ORDER BY
stime DESC");
$sth->execute($mycookpid, $agent);
By using placeholders, your scalars can contain anything you like, without
having malicious side effects.
Greetings,
Kenneth van Grinsven
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]