Posted by Kevin Raleigh on 07/17/07 04:00

How do you sanitize variables to prevent sql injections?

thank you
Kevin Raleigh

"Norman Peelman" <npeelman@cfl.rr.com> wrote in message
news:469c3ba5$0$8018$4c368faf@roadrunner.com...
> Kevin Raleigh wrote:
> > I have user id from the url string. sorry forgot to mention it.
> > http://www.myWebSite.org/validate?id=154&code=Ogtidw
> >
> > $userID = $_GET["id"];
> > $secureID = $_GET["code"];
> >
> > Why would the update fail?
> > Did I code it correctly?
> >
> > Thank You
> > Kevin Raleigh
> >
> > "Rik" <luiheidsgoeroe@hotmail.com> wrote in message
> > news:op.tvk8wiczqnv3q9@metallium...
> > On Tue, 17 Jul 2007 04:42:30 +0200, Kevin Raleigh
<kraleigh@sbcglobal.net>
> > wrote:
> >
> >> The following code seems to be failing. Can you check my logic?
> >> I am using this //>> notation in the body of the code to indicate my
> >> questions and
> >> comments
> >> $check = mysql_query("SELECT * FROM user WHERE id = '$userID'")or
> >> die("query
> >> failed!");
> >
> > What is in $userID? Try to echo the query before performing it.
> >
> >
> >
>
> Remove the quotes from around $userID in the query... you don't need
> them for numbers, only strings (generally speaking). And sanitize your
> variables to prevent SQL Injections.
>
> Norm

[Back to original message]