Database Reference
In-Depth Information
</body>
</html>
The
$sort_col
value comes from the
sort
parameter of the environment, so it should
be considered dangerous: An attacker might submit a URL with a
sort
parameter de‐
signed to attempt an SQL injection attack. To prevent this,
$sort_col
should be quoted
when you construct the
SELECT
statement that retrieves rows from the displayed table.
You cannot use a placeholder to quote the value because that technique applies to data
values. (
$sort_col
is an identifier here, not a data value.)
clicksort.php
uses the
quote_identifier()
function from
Cookbook_Utils.php
to make the identifiers safe
for inclusion in the SQL statement (see
Recipe 2.6
).
Another approach to validating the column name is to check the
COLUMNS
table of
INFORMATION_SCHEMA
. This enables you to incorporate the table name into the query as
a data value, so it can be supplied using a placeholder. If the sort column is not found,
it is invalid. The
clicksort.php
script shown here does not do that. However, the
rec
ipes
distribution contains a Perl counterpart script,
clicksort.pl
, that does perform this
kind of check. Have a look at it if you want more information.
The cells in the rows following the header row contain the data values from the database
table, displayed as static text. Empty cells are displayed using
so that they display
with the same border as nonempty cells (see
Recipe 19.3
).
20.12. Web Page Access Counting
Problem
You want to count the number of times web pages have been accessed.
Solution
Implement a hit counter, keyed to the page to be counted. This can be used to display
a counter in the page. Use the same technique to record other types of information as
well, such as the number of times each of a set of banner ads has been served.
Discussion
This recipe discusses access counting, using hit counters for the examples. Counters
that display the number of times a web page has been accessed are not such a big thing
as they used to be, presumably because page authors now realize that they serve pri‐
marily the author's vanity; most visitors don't really care how popular a page is. Still,
the general concept has application in many contexts. For example, if you display banner
ads in your pages (see
Recipe 19.7
), you likely charge vendors by the number of times
