Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<ol> <li>Sanitize your database inputs. <a href="http://php.net/mysql_real_escape_string" rel="nofollow noreferrer"><code>mysql_real_escape_string()</code></a> is a quick and easy way to achieve this (or, if the ID is always numeric, you could just use <a href="http://php.net/intval" rel="nofollow noreferrer"><code>intval()</code></a>). Don't be like the school who fell for <a href="http://xkcd.com/327/" rel="nofollow noreferrer">Bobby Tables</a>.</li> <li><s>If you're not sure which request method was used, use the <code>$_REQUEST</code> superglobal, which contains both GET and POST variables (example: <code>$_REQUEST['ID']</code>). I normally don't use <code>$_REQUEST</code>, since I like to be clear about where my data comes from, but this would be a perfect situation to use it.</s></li> </ol> <p>As Nick Presta pointed out, <code>$_REQUEST</code> also includes cookie variables, and as a matter of fact, the default* order of precedence for name conflicts is <code>$_COOKIE</code>, <code>$_POST</code>, and then <code>$_GET</code>. In light of this, before you plug data into the query, you could either do what you're doing now, or use <code>$_SERVER['REQUEST_METHOD']</code> instead:</p> <pre><code>// You can use mysql_real_escape_string() instead if you want $id = ($_SERVER['REQUEST_METHOD'] == 'POST') ? intval($_POST['id']) : intval($_GET['id']); </code></pre> <p>Also, as outis noted, keep in mind that you have the option of using <a href="http://us2.php.net/manual/en/pdo.prepared-statements.php" rel="nofollow noreferrer">prepared statements</a> instead of just raw SQL queries.</p> <p>* — The ordering is <a href="http://php.net/manual/en/reserved.variables.request.php" rel="nofollow noreferrer">configurable</a> via the <code>variables_order</code> configuration directive, as Stewart mentioned in the comments.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload