Posted by bill on 12/19/06 16:05

Erwin Moller wrote:
> bill wrote:
>
>> MySQL newbie, not new to computing.
>>
>> In my application I accept photos and data, some structured and
>> some free text. I store the information (but not the images) in a
>> MySQL database and then from that information I construct a web
>> page for the user.
>>
>> The images are always displayed within an <img tag.
>>
>> The text is displayed as part of the web page, within <p> tags.
>>
>> The users are all registered and (more or less) trusted individuals
>>
>> <paranoid mode on>
>>
>> 1: Do I need to worry about SQL injection if I do not process the
>> incoming free form data ?
>
> Why do you let the visitor fill in data if you do not process it?

I guess I should be more clear. I save the data in a mysql
database and then paste it into a generated web page. By process
I meant mysql_real_escape_string() (about which I did not know)

bill

• Next in forum: Getting a function result while in heredoc
• Prev in forum: Re: SQL injection and PHP spoofing
• Thread view: Re: SQL injection and PHP spoofing

[Reply to this message]