Hi,
I need to limit results in the following query type: http://www.somewhere.com/php/sql-a.p...l_order=&pos=1
I found a reference that says I should be able to use LIMIT x[,y], but
I don't know where/exactly how to add that to the string. Once I know
what it's supposed to look like, and can write something to generate
it.
If someone could post an example using the above and limiting the
output to 100 records starting at position 1, that would be great. 4 3297 em********@hotmail.com wrote: Hi,
I need to limit results in the following query type:
http://www.somewhere.com/php/sql-a.p...l_order=&pos=1
I found a reference that says I should be able to use LIMIT x[,y], but I don't know where/exactly how to add that to the string. Once I know what it's supposed to look like, and can write something to generate it.
If someone could post an example using the above and limiting the output to 100 records starting at position 1, that would be great.
It really depends on the database you're using.
In mysql, adding " LIMIT 5" to the end of your sql statement will return
5 rows, adding "LIMIT 10, 20" will return 20 rows starting with row
number 10.
It should also be noted that passing the database query in the URL like
your example shows is a _really_bad_ idea if you expect to allow other
people to use this page, and just a bad idea otherwise.
What would prevent some malicious user from manually changing the url to
try and execute the statement "DELETE+ALL+FROM+super_important_table",
OR WORSE!
Carl.
Carl wrote: em********@hotmail.com wrote:
Hi,
I need to limit results in the following query type:
http://www.somewhere.com/php/sql-a.p...l_order=&pos=1
I found a reference that says I should be able to use LIMIT x[,y], but I don't know where/exactly how to add that to the string. Once I know what it's supposed to look like, and can write something to generate it.
If someone could post an example using the above and limiting the output to 100 records starting at position 1, that would be great.
It really depends on the database you're using. In mysql, adding " LIMIT 5" to the end of your sql statement will return 5 rows, adding "LIMIT 10, 20" will return 20 rows starting with row number 10.
It should also be noted that passing the database query in the URL like your example shows is a _really_bad_ idea if you expect to allow other people to use this page, and just a bad idea otherwise.
What would prevent some malicious user from manually changing the url to try and execute the statement "DELETE+ALL+FROM+super_important_table", OR WORSE!
Carl.
The database is read-only, but thanks for the warning.
How exactly do I add "LIMIT 10, 20" to the html string? I tried some
different ways and either got error messages (generic) or it had no
effect.
This is using MySQL, and I know LIMIT is supported.
For example: I tried adding
+LIMIT+1%2C+100
to the end, or before the
+&sql_order=&pos=1
I Also tried adding
&LIMIT+1%2C+100
(no "+")
I think maybe the &sql_order at the end needs rewritten using LIMIT.
I need the specific syntax, "+", "&", "%2C", etc. to add (say) LIMIT
10,20 to this: http://www.somewhere.com/php/sql-a.p...l_order=&pos=1
Thanks em********@hotmail.com wrote: How exactly do I add "LIMIT 10, 20" to the html string? I tried some different ways and either got error messages (generic) or it had no effect. I think maybe the &sql_order at the end needs rewritten using LIMIT.
LIMIT must come after ORDER BY in a SQL query.
See http://dev.mysql.com/doc/mysql/en/select.html
But obviously, the PHP code is concatenating the sql_order after the
sql_query in some manner. We don't know what it's doing. We don't even
know from your example what the legal values for sql_order are. Are
they field names by which to sort? We don't know how it interprets the
blank string, as is being passed here.
For instance, it _might_ be concatenating the values of sql_query and
sql_order like this:
$sql = $sql_query
. "ORDER BY "
. ($sql_order ? $sql_order : "DefaultField")
. " ASCENDING"
So even if you were to pass "DefaultField LIMIT 10,20" for the sql_order
parameter, you'd end up with a syntax error in the resulting SQL,
because "ASCENDING" appears out of place. And this is assuming
sql_order is there to name the field by which to sort. It could have
some totally different meaning within the PHP code.
Regards,
Bill K.
In comp.databases em********@hotmail.com wrote: I need to limit results in the following query type:
http://www.somewhere.com/php/sql-a.p...l_order=&pos=1
What you seem to be doing here is very dangerous. Suppose someone saw
that URL and rewrote it as follows: http://www.somewhere.com/php/sql-a.p...E+FROM+mytable
Or even: http://www.somewhere.com/php/sql-a.p...y=DROP+mytable
This is called an "SQL injection" vulnerability -- where your
application allows the user to enter arbitrary SQL statements. These
can yield all sorts of undesired results:
* public accessibility of private information
* destruction of information (as above)
* crashing of your database server (by writing a query that
takes massive computational resources to compute)
* corruption of information, possibly with substantial financial
consequences
As an example of the last, imagine that your database is serving an
online store application, and includes the price list. If the user can
enter an arbitrary query (and the store application has the access
privileges to do so -- another error, perhaps) then the user could alter
prices and then place orders for really cheap goods. :)
--
Karl A. Krueger <kk******@example.edu> { s/example/whoi/ } This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Brian Piotrowski |
last post by:
Hi All,
I'm trying to run a simple query from an ASP page. I want the query to
select each individual field in a table and compare it to another table. If
the value doesn't exist, I want it...
|
by: krystoffff |
last post by:
Hi
I would like to paginate the results of a query on several pages. So I
use a query with a limit X offset Y to display X results on a page,
ok.
But for the first page, I need to run the...
|
by: Nick |
last post by:
Is there a (better) way to get the toal number of results from a query
but still limit them with a LIMIT clause. For example, in a Google
search result, it displays 1-100 of 10,000,000 results. Do...
|
by: emily_g107 |
last post by:
Hi,
I need to limit results in the following query type:
...
|
by: D. Dante Lorenso |
last post by:
I need to know that original number of rows that WOULD have been returned
by a SELECT statement if the LIMIT / OFFSET where not present in the
statement.
Is there a way to get this data from PG ?...
| |
by: Terry E Dow |
last post by:
Howdy,
I am having trouble with the objectCategory=group member.Count attribute.
I get one of three counts, a number between 1-999, no member (does not
contain member property), or 0. Using...
|
by: - |
last post by:
I have only 1m records in my database running on a laptop of speed
1.6GHz, memory 512MB ram, and Toshiba MK8032GAX hard disk.
I use 'LIMIT x,10' for the query to utilise record paging.
When the...
|
by: jon |
last post by:
Please Excuse the newbie question, but I have not been able to figure
out how to do the following on my own. Assume I have a table called
'reviews' and in that table there are three columns:...
|
by: woony |
last post by:
I am making a webpage that gets his information from an as400 system.
Now I seemed to hit some weird problem.
I have for example this select:
select field1,field2 from table
this is over...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |