You should escape $username before passing it to mysql if its user
submitted data ... sql-injection
one/two liner: but error prone!
$un = mysql_real_escape_string($username);
list($id) = mysql_fetch_row(mysql_query("SELECT uid FROM users WHERE username='{$un}'");
better would be
$result = mysql_query...
if (!$result)
die("error: ".mysql_error());
list($uid) = mysql_fetch_row($result);
if (!$uid)
die("no user with {$uname} found!");
do something with $uid
Majk
-----Ursprüngliche Nachricht-----
Von: AndrewJames [mailto:andrewhudds@stripped]
Gesendet: Freitag, 4. September 2009 12:52
An: mysql@stripped
Betreff: a better way, code technique?
is there a better way (hopefully simpler) to code this?
i want to get the user id of the logged in user to use in my next statement.
$q1 = sprintf("SELECT uid FROM users WHERE users.username='$username'");
$result1 = mysql_query($q1);
$uid = mysql_fetch_array($result1);
$u = $uid['uid'];
it seems like a long way around to get 1 bit of data??
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=1
| Thread |
|---|
| • a better way, code technique? | AndrewJames | 4 Sep |
| • AW: a better way, code technique? | Majk.Skoric | 4 Sep |
| • AW: a better way, code technique? | Majk.Skoric | 4 Sep |
| • Re: a better way, code technique? | Per Jessen | 4 Sep |
| • AW: Re: a better way, code technique? | Majk.Skoric | 4 Sep |
| • Re: AW: Re: a better way, code technique? | AndrewJames | 4 Sep |
| • AW: AW: Re: a better way, code technique? | Majk.Skoric | 4 Sep |
| • Re: a better way, code technique? | Brent Baisley | 4 Sep |
| • RE: a better way, code technique? | Gavin Towey | 4 Sep |
| • RE: a better way, code technique? | Daevid Vincent | 4 Sep |
