[thelist] PHP help required please

Jason Lustig lustig at acsu.buffalo.edu
Sun Feb 3 15:36:00 CST 2002


>setcookie("LOGININFO", "$username");
>
>thats the code that sets the cookie when it is told to set it in an if
>statement.
>I then want to be able to use the value of $LOGININFO like so:
>
>$sql = "INSERT INTO  '$LOGININFO' (prod_id,prod_name,prod_price) VALUES
>('1','2','3')";

That's not nearly the best way to things, let alone dealing with the
cookies. What if two people have the same usernames, or someone wants a
username that's a reserved word in the databse system? It probably would
make more sense if your database was set up so that you had a table
'products', with 'prod_id', 'prod_name', 'prod_price', and 'user_id' which
would be a foreign key against a user table.

And if you have it set up like this, you should probably also escape the
variable $LOGININFO or else a person could go into their cookies and edit
$LOGININFO to be this:

(there are no quotes, this is what the string would be)


dave'; drop database; insert into 'dave



This would screw up your entire database. Very insecure, to insert stuff for
SQL right from the client-side...

--Jason




More information about the thelist mailing list