Quote:
|
Originally Posted by BlazingWolf
Instead use
[PHP]$sql = "SELECT * FROM mytable WHERE id='".$id."'";[/PHP]
That will also help prevent Injection from my understanding.
|
Surely you mean instead:
[PHP]$sql = 'SELECT * FROM mytable WHERE id=\''.mysql_escape_string($id).'\'';[/PHP]
The whole point is that when you process a tokenised string (one with double not single quotes around) php will parse tokens of the form $name with the variable of that name, whereas with single quotes it will not. So if someone entered "$topsecretstuff" into an unvalidated form it would echo the contents of the variable with that name into the string, which is bad.
It is sometimes even possible to execute php in this way, e.g. by creating a malicious object through deserialization.