PHP syntax confusion

software development

#1

$select = “l.name, l.band, ldisk”; // setting default values. Do with cookies in future versions.
$from = “List l”;
$acdc = “DESC”
$where = “l.cost <> NULL”
$ordby = “l.band” . $acdc; // does this come out as “l.band DESC” or not?
$limit = 20;

if(!empty($_GET[‘select’] && is_text($_GET[‘select’])){ // Im assuming that was ment to be a { not [
$select = $_GET[‘select’];
}
if(!empty($_GET[‘from’]) && is_text($_GET[‘from’])){ // and on down the list of variables…
$from = $_GET[‘from’];
}
if(!empty($_GET[‘acdc’]) && is_text($_GET[‘acdc’])){
$acdc = $_GET[‘acdc’];
}
// if(!empty($_GET[‘where’]) && is_something($_GET[‘limit’])){ // is what? Its got to pass operators and conditionals <> = >= etc.
// $where = $_GET[‘where’]; // Can I just tell it not to accept a text string longer than 10 or something? Security problem here?
// }
if(!ordby($_GET[‘ordby’]) && is_text($_GET[‘ordby’])){
$ordby = $_GET[‘ordby’];
}
if(!empty($_GET[‘limit’]) && is_numeric($_GET[‘limit’])){
$limit = $_GET[‘limit’];
} // done with variable declarations.

$sql = “SELECT $select”; //You could change this line to “SELECT *”
$sql .= " FROM $from"; //Assigning table name to shorter name for shorter sql statements
$sql .= " WHERE $where"; //If you put NULL in ‘’ then it treats it as string, it’s not
$sql .= " ORDER BY $ordby $acdc"; // <- is this gonna output right?
$sql .= " LIMIT $limit"; //Using the variable defined above

$result = mysql_query($sql);

Is this right? What am I missing besides the form? I’m not very good at this and this is my first complex page so… don’t assume I know much. Thanks to anyone that can help me with my logic here.


#2

Anyone? I’m kinda stuck here


#3

/ if(!empty($_GET['where']) && is_something($_GET['limit'])){ // is what? Its got to pass operators and conditionals <> = >= etc. // $where = $_GET['where']; // Can I just tell it not to accept a text string longer than 10 or something? Security problem here? // }If the set of WHERE clauses can be reduced to a known list, that would probably be best:

$where_clause['less than'] = 'a < b'; $where_clause['greater than'] = 'a > b'; $where = $where_clause[$_GET['where']];Otherwise, to ease your mind you would have to actually parse the sql to make sure it is valid and acceptable.

Heh, you could even make a joke of it like:

$where_clause['2+2=5'] = 'a < b'; $where_clause['42'] = 'a > b';where as someone looking at your form variables might think the statement is
SELECT l.name, l.band, ldisk FROM List l DESC WHERE 2+2=5 LIMIT 20
but it would actually be
SELECT l.name, l.band, ldisk FROM List l DESC WHERE a < b LIMIT 20

:cool: Perl / MySQL / HTML+CSS