Re: SQL Query Question
Well first of all you should put those variables into quotes like:
$result = @mysql_query("SELECT MovieTitle, ReleaseDate, Gross FROM movie_table, actor_movie_table, actor_table WHERE actor_table.ActorID='".$id."' AND actor_movie_table.ActorID = actor_movie_table.MovieID ORDER BY `".$sOrderBy."` '.$ad.'');
I have no idea what $ad is. But putting queries like this is a major security problem and leads to sql injection. Put tables names into ` ` and values into ' ' for your safety.
Btw, I don't see a problem for "Actor_movie_table.ActorID = actor_movie_table.MovieID" actually.
Subject
Written By
Posted
Re: SQL Query Question
July 31, 2005 07:09PM
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.