Posted by Erwin Moller on 12/17/44 11:53

Alex wrote:

> That's sounds like exactly what I needed! I'll try that out now.
>
> Thanks very much.
>
> Alex
>

Alex, A serious warning: SQL_injection.

Make sure you understand how The Bad Guys try to inject stuff into your
queries and take over your database.

If you receive a searchterm freom a form, and proceed like this, you might
get into trouble:

$firstName = $_POST["firstName"];
$SQL = "SELECT firstname, lastname from tblusers WHERE ";
$SQL .= " (lastname LIKE '%".$firstName."%'); ";
etc. etc

Now the $firstName variable could contain possible something very nasty you
didn't expect, like:
%'); DELETE FROM tbluser; etc

If you execute that query, you might find out your tbluser is empty..

If you are new to PHP and SQL, make sure you understand SQL-injection, and
prepare yourself.
Have a look at functions like addslashes() and check php.ini for things like
gpc_magic_quotes, etc

Best of luck!

Regards,
Erwin Moller

• Next in forum: Re: converting array $row values to $string
• Prev in forum: Re: converting array $row values to $string
• Thread view: Re: New to php and MySQL

[Reply to this message]