Posted by Michael Fesser on 10/23/07 20:52

..oO(Jeff Gaines)

>I think Good Man has probably hit it on the head, this is old code I am
>looking at which probably will have worked with earlier versions of php. I
>will continue using $_GET['id'] and $_POST['id'] as this seems to be how
>to do it now.

An addition: If a user-submitted value is used directly in a query
without any validation as it seems to be in this case, then it's very
easy for an attacker to empty the entire table. Read about SQL injection
and how to prevent it.

Micha

[Back to original message]