|
Posted by Bogdan Ribic on 10/20/51 11:30
Oliver Grätz wrote:
> Shaun schrieb:
>
>>$qid = mysql_query('INSERT INTO MYTABLE (
>> column1,
>> column2,
>> ) VALUES (
>> "'.$value1.'",
>> "'.$value2.'"
>> )');
>
>
> A bit off-topic but important: Always make sure that you check the
> contents of $value1 and $value2 before putting them into the query!
> With
>
> $value1 = 'xyz","xyz"); DELETE FROM MYTABLE;';
>
> you might get surprising results!
>
> This is called SQL injection and it's important to escape all the values
> before putting them into the statement.
Did you try that? This doesn't work on my machine:
mysql_query("DELETE FROM mytable; DELETE FROM mytable;");
ie, mysql extension won't let me do more than one statement at a time.
--
Open source PHP code generator for DB operations
http://sourceforge.net/projects/bfrcg/
[Back to original message]
|