[nycphp-talk] Is there something wrong with this SQL query in PHP?
chsnyder at gmail.com
Tue Aug 14 17:00:16 EDT 2007
On 8/14/07, Anthony Wlodarski <aw at sap8.com> wrote:
> So I will definitely in the future keep an out for direct $_POST variables
> directly in a SQL query (I will just save a local copy from now on and use
No, you're missing the point. It isn't direct use of the variable from
$_POST, it's that the value might contain quotes or other characters
that can cause the database to execute SQL that you don't expect.
Use the mysql_real_escape_string() function on all values before
including them in a query:
$query = "SELECT * FROM `jobsdb` WHERE `id`
More information about the talk