On Monday 16 June 2008 01:03:48 you wrote:
primm escribió:
Sorry, I know its Sunday. . .How do I get all 4 echo's into a one line echo:
using "." the concatenation operator.
$sql = "SELECT * FROM names WHERE ID=$ID";
^^ security hole !!!
$sql = sprintf("SELECT * FROM names WHERE ID='%s'", mysql_real_escape_string($ID, $dblink)) ;
if $ID is a number, use the %d format string and omit the mysql_escape_string() call ...
echo "EDITING <br>"; echo $myrow["name1"];
^^ security hole :-P
if $myrow["name1"] happends to be user supplied we can make it <script>alert('owned');<script> and you have a XSS attack.
so
echo "EDITING <br>", htmlspecialchars($myrow["name1"]), " ", htmlspecialchars($myrow["name2"]);
Yes , "comma" can be used with echo as well, it is not concatenation but a new parameter.
Cheers.
Wow. That's scary. I just changed it to: echo "<b>Creating report for: <i>", $myrow["name1"], " ", $myrow["name2"], "</i></b>"; Can you give me a copy and paste _safe_ version of this? Love L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org