Posted by Oliver Grδtz on 10/19/05 04:45
Shaun schrieb:
> $qid = mysql_query('INSERT INTO MYTABLE (
> column1,
> column2,
> ) VALUES (
> "'.$value1.'",
> "'.$value2.'"
> )');
A bit off-topic but important: Always make sure that you check the
contents of $value1 and $value2 before putting them into the query!
With
$value1 = 'xyz","xyz"); DELETE FROM MYTABLE;';
you might get surprising results!
This is called SQL injection and it's important to escape all the values
before putting them into the statement.
An even better solution are prepared statements! With PDO (available as
an extension for PHP 5.x) these are natively supported. You prepare the
statements without any of the values and call them with the values. The
engine automatically escapes your data.
OLLi
____________
Bug? That's not a bug, that's a feature.
[T. John Wendel]
[Back to original message]
|