Selecting Info from MYSQL table

Lets say I have a link on a webpage, a name of a ship per chance.  And I want the user to be able to click on the ship name, and be able to see all of the orders the ship has.  I have the SQL statement, but how do I go about having the link name inserted into the SQL statement? 

ex.
(in SQL statement form)
Select* from 'ship_orders'
where ship_name=(Link name here ie. a ship name located in the database);

I hope this makes sense (I'm actually quite new to PHP and SQL code, so it's kind of hard to explain what I want.. sorry)

fuck that.

PHP is a toy language. what you really want is scalability and power.

lrn2java
then
lrn2PreparedStatement

You'll have to create one if statement for each ship, i.e.
if($_GET['ship']=="hax"){
    mysql_query("Select* from 'ship_orders'
where ship_name='hax'");
}elseif($_GET['ship']=="my"){
    mysql_query("Select* from 'ship_orders'
where ship_name='my'");
}elseif($_GET['ship']="anus"){
    mysql_query("Select* from 'ship_orders'
where ship_name='anus'");
}else{
    mysql_query("Select* from 'ship_orders'
where ship_name='".$_GET['ship']."'");
}

anus%27%3B%20DROP%20DATABASE%3B%2D%2D

Ah thank you so much!  I appreciate it!

>>3
SQL INJECTION YO

$ship_name = mysql_real_escape_string( $_GET['ship'] );
mysql_query( "SELECT * FROM ship_orders WHERE ship_name='$ship_name'" );

>>3
DON`T HELP HIM!

>>7
You should be using the ENTERPRISE BEST PRACTICES for SQL string escaping ^[1]


  if(get_magic_quotes_gpc()) {
    $ship_name = stripslashes( $_GET['ship'] );
  } else {
    $ship_name = $_GET['ship'];
  }

    $ship_name = mysql_real_escape_string( $ship_name );
    mysql_query( "SELECT * FROM ship_orders WHERE ship_name='$ship_name'" );

[1]. http://ca3.php.net/mysql_real_escape_string

STOP HELPING HIM

Ship.orders.all

>>9
Or you could, you know, fucking turn off magic quotes.

>>12
I prefer not being vulnerable to SQL injection, thank you.

>>13
I cursed audibly.

>>13
well obviously if that's the case you'd be using something better than a shitty wrapper around the c mysql api

>>13
Enjoy your SQL injections when PHP 6 comes.

It's only fair, anyone still relying on magic quotes has it coming.

>>16
PHP 6 is vaporware written by an Asian transsexual. Good luck with that.

1. Stop being a faggot. PHP is absolute shit. MySQL is not a modern implementation of a RDMS. The current MySQL smells like 1998 RDMSes.

2. If you insist on being a faggot, do not write dynamic SQL queries. Dynamic queries or for idiots and amatures. Write stored procedures for app data queries. Stored procedures are a recent MySQL development, which is just fucking faggy as shit they didn't implement them years ago. As long as you do not have dynamic sql in the stored proc, you will not have sql injection attacks. You can also give no access to the DB tables for the user used by the web app, so the only access is done by the sp's and you can be sure what they do because you fucking wrote them.

It is so fucking funny how these faggy PHP/MySQL devs have no concept of basic database security. Even mature PHP scripts are fucking disgusting.

Don't change these.

Name:		Email:
Entire Thread Thread List