NYCPHP Meetup

[Allen Shaw]

Hi Paul,

You've gotten some good answers on your actual question, so I won't 
repeat them.  But as an important side note, watch out what you copy 
from the books.  This line is terribly risky:

> $rs1 = @mysql_query( $_REQUEST['db'] ); 

If, for example, I requested 
http://example.com/create_db.php?db=drop+database+mysql%3B the script as 
it is would attempt to drop the mysql database (and hopefully you're not 
connecting to mysql as a user who could actually do that...)

See this great article from Chris Shiflett on why user input should 
always be filtered and escaped: http://shiflett.org/articles/sql-injection

I realize you copied most of this code out of the book, and that's no 
shame -- learning by example is one of the best ways to do it.  It's a 
shame that the author has published code examples like this.

- Allen

PaulCheung wrote:
> Using Mike McGrath's book "PHP 5 in easy steps" ...  and the
> example from the www.ineasysteps.com website 
> <!-- example for PHP 5.0.0 final release -->
> <?php
> $conn = @mysql_connect( "localhost", "paul", "enter" )
> or die( "Sorry - could not connect to MySQL" );
> 
> $rs1 = @mysql_query( $_REQUEST['db'] );
> $rs2=  @mysql_list_dbs($conn);
> 

-- 
Allen Shaw
Polymer (http://polymerdb.org)
slidePresenter (http://slides.sourceforge.net)