NYCPHP Meetup

[nycphp-talk] Is there something wrong with this SQL query in PHP?

csnyder chsnyder at gmail.com
Tue Aug 14 17:00:16 EDT 2007


On 8/14/07, Anthony Wlodarski <aw at sap8.com> wrote:
>
> So I will definitely in the future keep an out for direct $_POST variables
> directly in a SQL query (I will just save a local copy from now on and use
> that.).

No, you're missing the point. It isn't direct use of the variable from
$_POST, it's that the value might contain quotes or other characters
that can cause the database to execute SQL that you don't expect.

Use the mysql_real_escape_string() function on all values before
including them in a query:

$query = "SELECT * FROM `jobsdb` WHERE `id`
=".mysql_real_escape_string($_POST['id'])."";


-- 
Chris Snyder
http://chxo.com/



More information about the talk mailing list