List:General Discussion« Previous MessageNext Message »
From:<Majk.Skoric Date:September 4 2009 11:00am
Subject:AW: a better way, code technique?
View as plain text  
You should escape $username before passing it to mysql if its user
submitted data ... sql-injection

one/two liner: but error prone!

$un = mysql_real_escape_string($username);
list($id) = mysql_fetch_row(mysql_query("SELECT uid FROM users WHERE username='{$un}'");

better would be 

$result = mysql_query...

if (!$result)
	die("error: ".mysql_error());

list($uid) = mysql_fetch_row($result);

if (!$uid)
	die("no user with {$uname} found!");

do something with $uid

Majk
-----Ursprüngliche Nachricht-----
Von: AndrewJames [mailto:andrewhudds@stripped] 
Gesendet: Freitag, 4. September 2009 12:52
An: mysql@stripped
Betreff: a better way, code technique?

is there a better way (hopefully simpler) to code this?

i want to get the user id of the logged in user to use in my next statement.

$q1 = sprintf("SELECT uid FROM users WHERE users.username='$username'");
$result1 = mysql_query($q1);
$uid = mysql_fetch_array($result1);
$u = $uid['uid'];

it seems like a long way around to get 1 bit of data?? 


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/mysql?unsub=1

Thread
a better way, code technique?AndrewJames4 Sep
  • AW: a better way, code technique?Majk.Skoric4 Sep
    • AW: a better way, code technique?Majk.Skoric4 Sep
  • Re: a better way, code technique?Per Jessen4 Sep
    • AW: Re: a better way, code technique?Majk.Skoric4 Sep
      • Re: AW: Re: a better way, code technique?AndrewJames4 Sep
        • AW: AW: Re: a better way, code technique?Majk.Skoric4 Sep
  • Re: a better way, code technique?Brent Baisley4 Sep
    • RE: a better way, code technique?Gavin Towey4 Sep
    • RE: a better way, code technique?Daevid Vincent4 Sep