Export Excel

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • CogitoErgoDigito
    #1

    Export Excel

    i have created a page that export in excel format some recordsets
    extract from a database, i pass to that page the sql query string via
    get

    example:
    href="export_ex cel.php?sql=<?= $sql?>"

    it works fine but in the address bar and in the title bar (with
    Explorer) it write the sql string that i pass to the page and i don't
    like it

    how can i solve that problem?

    thanx (and sorry for my english)
    Tags: None
    • Rudolf Horbas
      #2
      Re: Export Excel

      CogitoErgoDigit o wrote:
      [color=blue]
      > i have created a page that export in excel format some recordsets
      > extract from a database, i pass to that page the sql query string via
      > get
      >
      > example:
      > href="export_ex cel.php?sql=<?= $sql?>"
      >
      > it works fine but in the address bar and in the title bar (with
      > Explorer) it write the sql string that i pass to the page and i don't
      > like it[/color]

      When passing a variable via GET-parameters, You cannot avoid the
      parameters appearing in the address bar, that's part of the concept.
      MSIE is showing the string in the title because You aren't using a
      <title>-tag, I suppose.
      Use POST to submit Your string, and the address bar remains clear.

      Do I have to tell You that submitting and executing full SQL statements
      on a public page is _very_ dangerous?
      Anyone can fumble with the statement (DELETE * FROM table, etc.), and
      hiding the statement in a POST doesn't make it much safer, it's simply
      not quite as obvious.
      (If You're just using the script on Your private machine or in a
      restricted area, it may be all right)

      Rudi

        Comment

        • CogitoErgoDigito
          #3
          Re: Export Excel

          Rudolf Horbas <rhorbas@gmx.ne t> wrote in message news:<c2754u$3i 4$1@svr7.m-online.net>...
          [color=blue]
          > When passing a variable via GET-parameters, You cannot avoid the
          > parameters appearing in the address bar, that's part of the concept.
          > MSIE is showing the string in the title because You aren't using a
          > <title>-tag, I suppose.
          > Use POST to submit Your string, and the address bar remains clear.
          >
          > Do I have to tell You that submitting and executing full SQL statements
          > on a public page is _very_ dangerous?
          > Anyone can fumble with the statement (DELETE * FROM table, etc.), and
          > hiding the statement in a POST doesn't make it much safer, it's simply
          > not quite as obvious.
          > (If You're just using the script on Your private machine or in a
          > restricted area, it may be all right)
          >
          > Rudi[/color]

          Thank u much for your answer!
          Now I pass values via post and in the address bar it show the page
          name.
          (I don't send the entire string but only the WHERE condition and it
          comes from a page where it's only possible to choose some parameter)

          tnx
          Ciao

            Comment

            Previous template Next
            Working...