[thelist] PHP help required please
Jason Lustig
lustig at acsu.buffalo.edu
Sun Feb 3 15:36:00 CST 2002
>setcookie("LOGININFO", "$username");
>
>thats the code that sets the cookie when it is told to set it in an if
>statement.
>I then want to be able to use the value of $LOGININFO like so:
>
>$sql = "INSERT INTO '$LOGININFO' (prod_id,prod_name,prod_price) VALUES
>('1','2','3')";
That's not nearly the best way to things, let alone dealing with the
cookies. What if two people have the same usernames, or someone wants a
username that's a reserved word in the databse system? It probably would
make more sense if your database was set up so that you had a table
'products', with 'prod_id', 'prod_name', 'prod_price', and 'user_id' which
would be a foreign key against a user table.
And if you have it set up like this, you should probably also escape the
variable $LOGININFO or else a person could go into their cookies and edit
$LOGININFO to be this:
(there are no quotes, this is what the string would be)
dave'; drop database; insert into 'dave
This would screw up your entire database. Very insecure, to insert stuff for
SQL right from the client-side...
--Jason
More information about the thelist
mailing list