Imam edno takova pitane: Bezopasno li e da si predavam
zaiavkite kym bazata po GET, t.e. stoinostite?
Naprimer:
http://domain.com/subdom/index.php?id=12
Otdolu se izpylniava tova:
mysql_connect ("localhost", "root", "pass") or die ();
mysql_select_db("dbname") or die ();
$zaiavka_s = "SELECT * FROM `tblname` WHERE `id` = ".$id;
$zaiavka_q = mysql_query($zaiavka_s);
while($zaiavka_r = mysql_fetch_array($zaiavka_q))
{
echo($$zaiavka_r["colname"]." ");
}
Zabelejete, nikade ne proveriavam kakvo e $id. T.e. moje da
byde vsichko - string, php i kakvoto i da e.....
Az sediah tuka i probvah da pusna razni takiva ekstri:
http://domain.com/subdom/index.php?id=12;
require("../../nesto_gadno.php");
obache nisto ne stava. Vyprosyt mi e: moje li da se probie
tova tuk ili e malko veroiatno?
|