Posted by Andy Pieters on 09/26/78 11:14

Hi

Whilst you are searching the net, you might also want to search for 'sql
injection'. This is no joke!

Please use the mysql_escape_string on each variable you get from the user
side.

In your example

$Email = mysql_escape_string($_POST['Email']);
$Phonenumber = mysql_escape_string($_POST['Phonenumber']);

etc

There are some issues when magic quotes are turned on but you can implement a
hack that corrects any consuequences of that (stripslashes)


Andy






--
Registered Linux User Number 379093
-- --BEGIN GEEK CODE BLOCK-----
Version: 3.1
GAT/O/>E$ d-(---)>+ s:(+)>: a--(-)>? C++++$(+++) UL++++>++++$ P-(+)>++
L+++>++++$ E---(-)@ W+++>+++$ !N@ o? !K? W--(---) !O !M- V-- PS++(+++)
PE--(-) Y+ PGP++(+++) t+(++) 5-- X++ R*(+)@ !tv b-() DI(+) D+(+++) G(+)
e>++++$@ h++(*) r-->++ y--()>++++
-- ---END GEEK CODE BLOCK------
--
Check out these few php utilities that I released
under the GPL2 and that are meant for use with a
php cli binary:

http://www.vlaamse-kern.com/sas/
--

--

[Back to original message]