Web Analytics Made Easy -
StatCounter sending sql statements in name value pairs - CodingForum

Announcement

Collapse
No announcement yet.

sending sql statements in name value pairs

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • sending sql statements in name value pairs

    I need to send an SQL Query statement from an achor tag. The code goes like this:
    echo "<td valign='top' width='40' class='text'>
    <a href='searchReports.php?sql=$sql&sort=p'>
    <b>Publication <br>Number</b></a></td>";

    Inside variable $sql is:
    select * from eReport where keyword like '%Agriculture%'

    or it could be:
    select * from eReport where division_num = '150'

    When program searchReports.php starts it has lost all information in the name value pair that is past the quote. How can I escape the quotes for the name value pair but retain them for the sql queury?

    Thank you,
    Suzanne

  • #2
    for security reasons alone that is a bad idea. you are leaving your database completely open to attacks. if you are passing an sql query from your command line it can be changed to anything including dropping your database.

    Comment

    Working...
    X