Posted by Toby A Inkster on 03/06/07 21:48

dajava wrote:

> $query = "INSERT INTO `Dora_Board` (`Title` , `Writer`,
> `Password`, `Contents`, `Date`, `Ip`) ";
> $query = $query . "VALUES ('" . (string)$title . "', '" .
> (string)$writer . "', '" . (string)$password . "', ";
> $query = $query . "'" . (string)$contents . "', '" . (string)
> $date . "', '" . (string)$ip . "')";

As I said -- mysql_real_escape_string(). Replace the above with:

$query = sprintf("INSERT INTO Dora_Board (Title, Writer, Password, Contents, Date, Ip)
VALUES ('%s', '%s', '%s', '%s', '%s', '%s');",
mysql_real_escape_string($title),
mysql_real_escape_string($writer),
mysql_real_escape_string($password),
mysql_real_escape_string($contents),
mysql_real_escape_string($date),
mysql_real_escape_string($ip));

There are several other chunks of code that need rewriting similarly, but
that should fix the immediate problem.

If you don't fix these problems your site is open to being cracked by
nasty people. Yes, really.

Google: mysql_real_escape_string.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Geek of ~ HTML/SQL/Perl/PHP/Python*/Apache/Linux

* = I'm getting there!

• Next in forum: comapring two variables of strings
• Prev in forum: Re: PLEASE HELP - Very odd problem
• Thread view: Re: help : apostrophe/single quotation mark

[Reply to this message]