[Wolves] PHP Sql select losing a row

Wayne Morris waynelists at machx.co.uk
Wed Jul 10 12:42:27 UTC 2013


On 10/07/2013 13:08, David Goodwin wrote:
> to mention those variable names lol
>
>> What was wrong with the variable names?
> Variable names should be readable and hopefully spelt correctly.
>
> Why not just write 'results' and 'query' - they're easy to read and descriptive.
>
> Sticking a 'z' on the end has not added anything (if anything it's more typing). I certainly find spelling mistakes in code distracting.
>
> (To me, it also looks childish, but perhaps I'm just becoming old and grumpy!)
AHHH, I thought you were having a go about using words like 'postcode'

The 'z' was just a fault finding suffix to show me that that particular 
query was all part of the same query ( I've got 4 separate queries on 
that page)
and was concerned that the result from one might be getting used in the 
results from another so used result1- result3 and then got bored with 
numbers
and tagged it with a z   lol
>> Its for an intranet with users logged in - so either we trust them enough to amend/delete etc all records on the system,
>> or we don't trust them to do anything - an sql injection is far too complicated enough for our grade of user ;-)
>>
> So - someone searches for "it's" and it breaks?
> That doesn't give the end user much confidence in the app. It's good practice to try and code securely.
I do those checks on user input sections - this particular section just 
uses the postcode of a particular existing record, then searches for
records in the same subpostcode to display. But point taken on secure 
coding.

>
> It may only be an intranet thing for now - but software has a habit of evolving and being adapted. $futureBoss could easily request a subset of the functionality be opened up to the world….
>
> alternatively, what if you're infected by some sort of network worm/virus which infects vulnerable web apps through SQL Injection?
>
> David.
>
cheers

Wayne





More information about the Wolves mailing list