[nycphp-talk] print parsing confusion
Daniel Convissor
danielc at analysisandsolutions.com
Fri Apr 14 11:58:00 EDT 2006
Hi, uh, whatever your name is:
On Thu, Apr 13, 2006 at 08:58:36AM -0700, Linux Rocks wrote:
>
> while( $row = mysql_fetch_array( $category ) )
> {
> echo( "<tr><td>" . $row['expenses_cat_desc'] .
> "</td><td><input type=text name=expense_cat" .
> $row['expenses_cat_number'] . ("</td></tr>");
>
> }
Your coding style and security practices are abysmal. You need to
quote the HTML attribute values and escape the database output:
while($row = mysql_fetch_array($category)) {
echo '<tr><td>' . htmlspecialchars($row['expenses_cat_desc'])
. '</td><td><input type="text" name="expense_cat'
. htmlspecialchars($row['expenses_cat_number'])
. '" value="" /></td></tr>' . "\n";
}
Yours pedantically,
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list