Posted by Michael Fesser on 12/28/07 18:09

..oO(jodleren)

>Gee... I have been wondering whether the post can be in there, but
>*just in case* I have always used it like this
>
> $result=mysql_query("SELECT * FROM members WHERE username=\"".
>$_POST["username"]."\"");
>or
> $result=mysql_query("SELECT * FROM members WHERE username=\"".
>$_SESSTION["username"]."\"");

Strings in SQL are delimited with single quotes. And you _never_ want to
use a user-submitted value directly in a query without any validation.
Read about SQL injection.

Micha

[Back to original message]