[nycphp-talk] Is there something wrong with this SQL query in PHP?

csnyder chsnyder at
Tue Aug 14 17:00:16 EDT 2007

On 8/14/07, Anthony Wlodarski <aw at> wrote:
> So I will definitely in the future keep an out for direct $_POST variables
> directly in a SQL query (I will just save a local copy from now on and use
> that.).

No, you're missing the point. It isn't direct use of the variable from
$_POST, it's that the value might contain quotes or other characters
that can cause the database to execute SQL that you don't expect.

Use the mysql_real_escape_string() function on all values before
including them in a query:

$query = "SELECT * FROM `jobsdb` WHERE `id`

Chris Snyder

More information about the talk mailing list