well this is simple and a little hard.

i receive data from a form like
$name
$email
$city
$state
etc

and i need to join all into a mysql query like:
$sql = "SELECT * FROM users WHERE name = 'value' AND email = 'value'";

but some times the information can came without data. i was thinking about something like this:
$sql = "SELECT * FROM users WHERE";

if ($name ne '') {
$sql .= " name = '$name'";
}

But how can i know if i will need 'AND' or not.
mean how can i know what was the last field incresed and if it got no AND and if the others got AND.

example

name = '' AND email = '' AND lastfield = '' ORDER BY name";

as u can see last field has no AND

any ideas please.

o hell i think i figure something out:
my $sql_stuff = join " AND ", @data;

hehe
for who needs its up here but im always accepting new ideas... learn is something great!!

That leaves you wide open to SQL injection attacks though. Get your data into a hash(ref) and do something like this (untested):


...using place holders[1] to quote all tainted input. If someone entered a name like joe; DELETE * FROM users; SELECT * FROM ... you would have just lost your table and possibly given them data they shouldn't see. Just think if they would have used a DROP DATABASE instead :)

~Charlie

[1] http://search.cpan.org/...ders_and_Bind_Values

How can they possible do it with a code like

$name = $form->param('name');
$city = $form->param('city');

$sql_data = "id = '$id'";

if($name ne '') {
$sql_data .= " AND name = '$name'";
}

if($city ne '') {
$sql_data .= " AND city = '$city'";
}

# and so on
$sql = "SELECT * FROM users WHERE $sql_data ORDER BY name";

i think if they increse a ; into 1 of that value they would be disconsider as command.

wont it ?

Have a read: http://www.samag.com/...8/sam0505h/0505h.htm.

If someone guessed a table name, or worse, the database name all they would have to do is make up some SQL like I posted earlier and put it into the user field on the form. If you don't use placeholders or clean your input you are open to something like this. Of course I'm assuming that $form is a CGI object in your case and that the param method is not cleaning your data.

~Charlie

nice information Chaz.

but how about if the retrieve page dont accept get method and verify if the incoming come from the same web-site

Where abouts in your code are you untainting your form input? If you are not doing this (using placeholders or $dbh->quote() or rolling your own) you are open to this. Just take a look on google: http://www.google.com/...tion&btnG=Search There are *many* more examples like the one I linked to above.

~Charlie

Very nice information thx for the help.

I am reading a lot of mysql injection subjects.