March 2006
Beginner to intermediate
448 pages
13h 33m
English
Content preview from Head Rush Ajax
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
332
There’s no reason to stop with your JavaScript. Let’s help Frank make a few
upgrades to his PHP to help protect the server from SQL injection attacks, too.
Protecting against SQL injection
in your PHP scripts
<?php
// Connect to database
$conn = @mysql_connect(“mysql.headrstlabs.com”,
“secret”, “really-secret”);
if (!$conn)
die(“Error connecting to MySQL: “ . mysql_error());
if (!mysql_select_db(“headrst”, $conn))
die(“Error selecting Head First database: “ . mysql_error());
$phone = preg_replace(“/[\. \(\)\-]/”, “”, $_REQUEST[‘phone’]);
$phone = mysql_real_escape_string($phone);
$select = ‘SELECT *’;
$from = ‘ FROM hraj_breakneck’;
$where = ‘ WHERE phone = \’’ . $phone . ‘\’’;
$queryResult = @mysql_query($select . $from . $where);
if (!$queryResult)
die(‘Error retrieving customer from the database.’);
while ($row = mysql_fetch_array($queryResult)) {
$row = mysql_fetch_array($queryResult);
echo $row[‘name’] . “\n” .
$row[‘street1’] . “\n” .
$row[‘city’] . “, “ .
$row[‘state’] . “ “ .
$row[‘zipCode’];
}
mysql_close($conn);
?>
lookupCustomer.php
We really shouldn’t
be looping through
the results. There
should never be
more than one
customer displayed
at a time.
Now, no matter what the
phone number is, only one
customer (at most) is returned
in the server’s response.
This is the most
important change.
This function
will take care of
escaping any special
characters, like
those single ...