-
-
Save gavinblair/723791 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| //updated to fit http://drupal.org/writing-secure-code | |
| function ajax_autocomplete(){ | |
| $q = $_GET['z'].'%'; | |
| $limit = intval($_GET['limit']); | |
| $sql = "select distinct title from node where status = 1 AND (type = 'product' OR type = 'model_documentation') AND title LIKE '%s' order by title limit %d"; | |
| $result = db_query($sql, $q, $limit); | |
| while($row = db_fetch_array($result)) { | |
| echo "{$row['title']}\n"; | |
| } | |
| exit(); | |
| } |
Why "yikes"? This is the php-side of my ajax autocomplete setup.
xss_filter != escape_sql
$q = $_GET['q'] . '%%';
$sql = "select distinct title from node where status = 1 AND (type = 'product' OR type = 'model_documentation') AND title LIKE %s order by title limit %d";
db_query($sql, $q, $limit);
(assuming drupal that is...)
Also, no need for xss filter on the limit, this will do: $limit = (int)($_GET['limit']);
(the second part is actually covered by drupal if you do it the way I wrote above)
Nice. Gave it a shot, worked but I had to change %s to '%s'
Your version fits better with http://drupal.org/writing-secure-code
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Yikes! What are you using this for?