[nycphp-talk] MySQL: Delete row
Daniel Convissor
danielc at analysisandsolutions.com
Fri Apr 6 10:47:57 EDT 2007
On Wed, Apr 04, 2007 at 03:04:56AM +0000, tuon1 at netzero.net wrote:
> $Query = "SELECT * FROM $Tablename";
You better be VERY careful about the value of $Tablename. If it's set
directly by your script, that's fine, since you control what it can be.
But if $Tablename comes from user input, you MUST check that $Tablename is
a legitimate name before allowing it into a query.
For more information about SQL Injection, check out
http://phpsec.org/projects/guide/3.html#3.2
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409
More information about the talk
mailing list