| From: | "scott(dot)marlowe" <scott(dot)marlowe(at)ihs(dot)com> |
|---|---|
| To: | Tino Wildenhain <tino(at)wildenhain(dot)de> |
| Cc: | Nathaniel Price <nprice(at)tesseract(dot)net>, <pgsql-php(at)postgresql(dot)org> |
| Subject: | Re: [GENERAL] Reordering results for a report |
| Date: | 2003-12-15 16:25:41 |
| Message-ID: | Pine.LNX.4.33.0312150924290.2965-100000@css120.ihs.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general pgsql-php |
On Mon, 15 Dec 2003, Tino Wildenhain wrote:
> Hi Scott,
>
> scott.marlowe schrieb:
> [...]
> >
> > print "<url goes here...>?orderby=".$flds[$i]."moreurlstuffhere???";
> >
> > Then, if the orderby is set when you build your query, just append it:
> >
> > if (isset($orderby)){
> > $query.= "order by ".$orderby"
> > }
> >
> > Add some directional control:
> >
> > if (isset($dir)){
> > if ($dir=="down") $query.=" DESC";
> > }
> >
> [...]
>
> This leads to a nice SQL-injection posibility.
> At least it has to made sure that no illegal
> data can be transported via $orderby
Actually, the $flds[] array var is internally generated, and you'll
notice that orderby is NOT a PHP var, but a field name.
Good point though, lots of folks "trust" user input without paying
attention to injection issues, which is one reason I always setup servers
with magic quotes on. :-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Claudia D'amato | 2003-12-15 16:43:51 | postgres does not respond to a query view of 10000 records roughl y |
| Previous Message | Jeff Cave | 2003-12-15 16:11:02 | Re: Any commercial shopping cart packages using postgresql? |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Nathaniel Price | 2003-12-15 17:32:36 | Re: Reordering results for a report (follow-up) |
| Previous Message | Ângelo Marcos Rigo | 2003-12-15 13:23:14 | Re: Interactive querys |