Posted by Andy Pieters on 10/04/78 11:14
Hi
Whilst you are searching the net, you might also want to search for 'sql
injection'. This is no joke!
Please use the mysql_escape_string on each variable you get from the user
side.
In your example
$Email = mysql_escape_string($_POST['Email']);
$Phonenumber = mysql_escape_string($_POST['Phonenumber']);
etc
There are some issues when magic quotes are turned on but you can implement a
hack that corrects any consuequences of that (stripslashes)
Andy
--
Registered Linux User Number 379093
-- --BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/O/>E$ d-(---)>+ s:(+)>: a--(-)>? C++++$(+++) UL++++>++++$ P-(+)>++
L+++>++++$ E---(-)@ W+++>+++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++)
PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+)
e>++++$@ h++(*) r-->++ y--()>++++
-- ---END GEEK CODE BLOCK------
--
Check out these few php utilities that I released
under the GPL2 and that are meant for use with a
php cli binary:
http://www.vlaamse-kern.com/sas/
--
--
Navigation:
[Reply to this message]
|