Quote:
|
Originally Posted by Rory
But where's the validation? SQL Injection here we come!
Something like mysql_escape_string() may be in order...
For full rant see here. |
He has an excellant point that code is reallly easy to inject.
I would recommend using mysql_real_escape_string() and when you form your SQL command don't inline the varible.
e.x.
[PHP]
$sql = "SELECT * FROM mytable WHERE id='$id'";[/PHP]
Instead use
[PHP]$sql = "SELECT * FROM mytable WHERE id='".$id."'";[/PHP]
That will also help prevent Injection from my understanding.