eduard Posted May 7, 2012 Share Posted May 7, 2012 I´m studying this: http://www.devshed.com/c/a/PHP/Website-Database-Basics-With-PHP-and-MySQL/ to achieve my goal: a website with a database! Is this a good example or is it too difficult? Link to comment Share on other sites More sharing options...
Ingolme Posted May 7, 2012 Share Posted May 7, 2012 That article is OK for learning basics but there are things that aren't right. First of all, they mentioned "Netscape" which means this is a very old article. The second problem is that they're using register_globals instead of the $_GET array to access input variables.Another problem is that they're not sanitizing data before putting it into a query, which means that visitors to your site can mess up the database. Link to comment Share on other sites More sharing options...
eduard Posted May 7, 2012 Author Share Posted May 7, 2012 That article is OK for learning basics but there are things that aren't right. First of all, they mentioned "Netscape" which means this is a very old article. The second problem is that they're using register_globals instead of the $_GET array to access input variables.Another problem is that they're not sanitizing data before putting it into a query, which means that visitors to your site can mess up the database. Many thanks!Could you explain: ´sanitizing data´ please? Link to comment Share on other sites More sharing options...
Ingolme Posted May 8, 2012 Share Posted May 8, 2012 When you're doing an SQL query, you put data into it that was given to you by a user. If the user is smart, they can mess up your database. If they aren't smart, there is still a chance that the site has an error when trying to make a query. For example in this code: <?php$username = $_GET['username']; $query = mysql_query("SELECT * FROM users WHERE username='{$username}' ");?> If a user decides to send "O'Reilly" as an input, the query will work wrong because of the apostrophe. Here is how the query would look: SELECT * FROM users WHERE username='O'Reilly'In order to solve this problem, we do something called "sanitizing" which turns the string into something that won't mess up the query.To sanitize with the mysql extension we use mysql_real_escape_string(): <?php$username = mysql_real_escape_string($_GET['username']);$query = mysql_query("SELECT * FROM users WHERE username='{$username}' ");?> The sanitised string looks like this: SELECT * FROM users WHERE username='O\'Reilly' Link to comment Share on other sites More sharing options...
eduard Posted May 8, 2012 Author Share Posted May 8, 2012 When you're doing an SQL query, you put data into it that was given to you by a user. If the user is smart, they can mess up your database. If they aren't smart, there is still a chance that the site has an error when trying to make a query. For example in this code: <?php$username = $_GET['username']; $query = mysql_query("SELECT * FROM users WHERE username='{$username}' ");?> If a user decides to send "O'Reilly" as an input, the query will work wrong because of the apostrophe. Here is how the query would look: SELECT * FROM users WHERE username='O'Reilly'In order to solve this problem, we do something called "sanitizing" which turns the string into something that won't mess up the query.To sanitize with the mysql extension we use mysql_real_escape_string(): <?php$username = mysql_real_escape_string($_GET['username']);$query = mysql_query("SELECT * FROM users WHERE username='{$username}' ");?> The sanitised string looks like this: SELECT * FROM users WHERE username='O\'Reilly' Ok, thanks very much! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now