> The problem is string compositing SQL queries. With a SQL command > builder interface, query hacks don't occur. Right now, string > compositing mysql queries with unvalidated input often results in just > minor bugs, as from what I hear the mysql extention can't do chained > queries yet, so there's no risk of someone injecting whatever SQL they > choose, making it much harder to do evil.
Instead of 'SELECT .. WHERE id=$id' write 'SELECT ... WHERE id='. (int)$id Instead of 'SELECT .. WHERE name=$name' write 'SELECT ... WHERE name=" '.addslashes($name).' " ' Problem solved forever Ard -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
