On Mon, 2005-03-21 at 21:29 -0700, Joseph Sinclair wrote: > 2 items: > 1) Unless your platform forces it, don't build SQL strings anywhere. > SQL should be static strings using bind variables (also known as > prepared statements, look it up in the reference for the SQL interface > you're using). Dynamic SQL is susceptible to SQL injection, and makes > the entire site difficult to maintain and simultaneously easy to break > (both from a cracker standpoint, and from a maintenance standpoint). ---- duly noted before and again - makes perfectly good sense - limited opportunity to do much mischief here but duly noted. I think that is what I am doing - a specific string with one variable to expand. Of course the previous warning is much more to the point...if I have a php file that expects a complete sql search string to operate, someone could probably craft a methodology to send an entirely different string than something I had intended - which could have consequences beyond the damage that I am doing myself ;-) Of course, if the 'users' and 'password' employed in this operation only have access to a single db - then the only damage they could do is to this db or the tables of this db. ---- > > 2) To pass quoted strings in (X)HTML, you have to escape the quotes. > (X)HTML escapes characters differently from most programming > languages, and you have to follow it's rules. The mistake in your > code is that you're trying to use PHP escapes in HTML text, and that > won't work, since HTML doesn't consider the [\] character an escape > character in attribute content. > As an example, here's your string escaped for (X)HTML: > "SELECT * from horde_datatree WHERE user_uid = "jennifer" > AND (group_uid = 'horde.shares.kronolith' OR group_uid = > 'horde.shares.nag' OR group_uid = > 'horde.shares.imp' OR group_uid = > 'horde.shares.turba' OR group_uid = > 'horde.shares.mnemo')" > > Note: " is used for ["] and ' is used for [']. Other > character references may be inserted as needed, the full list is > available at (www.w3.org). For characters without a defined entity, > the Unicode escape (&#NNNN; where NNNN is the decimal Unicode > character value) may also be used. the full details of character > escaping in XML and HTML are found in the specs available at > (www.w3.org). ---- I see said the blind man - of course I knew this but only considered it in terms of html and to me - the html is the obstruction here and I've been trying to live with it's ugliness only as little as necessary. the &apos / " stuff is a curveball...I'm simply trying to recycle the string I used to locate records in sql db and do it again the same way (removing the records not indicated by checkbox - see previous detailed description) - I'm gathering the best way to handle this is to send the 'unexpanded' string and the variable through the POST and rebuild the string again in the target. In my mind, I'm passing variables from php to php but because I need the html interactivity, I have to deal with it's rules. ---- > > Many languages have open source libraries available to escape the > characters in a string for XML/HTML, check around to see if there's > one for your application. > ---- IANAP (I am not a programmer) and of course this can be rather befuddling - writing php, using html as my interactive medium and speaking to sql db - a lot of balls in the air for someone with so little coordination ;-) I feel like I have gotten some terrific answers - as I seem to get from this list - I love this list - thanks Joseph - and Patrick and Ted Thanks Craig --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss