Posted by Geoff Berrow on 08/05/07 07:21

Message-ID: <ZKudnd9htoY8_CjbnZ2dnUVZ_vfinZ2d@wavecable.com> from zach
contained the following:

>I forgot to mention, the comment, name and key variables come from a
>form via the post method.

So you need to do something like
$comment =mysql_real_escape_string($comment); on each user input.

Of course, you may want to do other validation prior to that. If
someone is trying to hack into your system, why store their attempt? You
might also want to check for content length, or banned text such as URLs

If the value meant to be an integer I use intval() rather than
mysql_real_escape_string()

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

[Back to original message]