CogitoErgoDigito wrote:
i have created a page that export in excel format some recordsets
extract from a database, i pass to that page the sql query string via
get
example:
href="export_excel.php?sql=<?=$sql?>"
it works fine but in the address bar and in the title bar (with
Explorer) it write the sql string that i pass to the page and i don't
like it
When passing a variable via GET-parameters, You cannot avoid the
parameters appearing in the address bar, that's part of the concept.
MSIE is showing the string in the title because You aren't using a
<title>-tag, I suppose.
Use POST to submit Your string, and the address bar remains clear.
Do I have to tell You that submitting and executing full SQL statements
on a public page is _very_ dangerous?
Anyone can fumble with the statement (DELETE * FROM table, etc.), and
hiding the statement in a POST doesn't make it much safer, it's simply
not quite as obvious.
(If You're just using the script on Your private machine or in a
restricted area, it may be all right)
Rudi