| ID | Name | Author | ";
while ($row = mysql_fetch_array($result, MYSQL_ASSOC))
{
echo "| ". $row['BookID'] ." | " . $row['Name']." | " . $row['Author']. " |
\n";
}
echo "";
}
// Typecast the input
function typecast($string, $type = 'string')
{
switch($type)
{
case 'integer': return (int)($string);
case 'string' : return $string;
default: return $string;
}
}
// Start the connection to the database
$db = mysql_connect('localhost', 'media', 'pass');
if (!$db) {
die('Could not connect: ' . mysql_error());
}
mysql_select_db("media") or die( "Unable to select database");
?>
SQL Injection
Result for [$q]\n";
$result = mysql_query("SELECT * FROM books WHERE Author = '$q'");
print_db($result);
}
if (isset($_POST['i']))
{
// Only a string
$i = typecast(mysql_real_escape_string(typecast($_POST['i']), 'integer');
echo "Result for [$i]\n";
$result = mysql_query("SELECT * FROM books WHERE BookID = $i");
print_db($result);
}
?>
All the database