Posted by Geoff Berrow on 05/04/07 16:20

Message-ID: <n50sg4-8oj.ln1@ophelia.g5n.co.uk> from Toby A Inkster
contained the following:

>> foreach($_POST as $key=>$val)
>> {
>> $$key = mysql_real_escape_string($val);
>> }
>
>That's no better really. Consider, we'll use $_GET as an example instead
>of POST, as it's easier to illustrate, but the same principle applies:
>
> http://example.com/foo.php?_SESSION[is_administrator]=1
>
>or, say you log IP addresses into your database whenever someone edits
>data...
>
> http://example.com/foo.php?_SERVER[REMOTE_ADDR]=123.45.67.89

Thanks for that Toby. It's always good to have an illustration of what
the potential problem might be.

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

• Next in forum: Re: help with posting conditional if statement
• Prev in forum: Re: help with posting conditional if statement
• Thread view: Re: $_POST and Building SQL Strings

[Reply to this message]