> SELECT autoQuesID, fldQuesTitle, fldBody FROM tblFAQ_Question WHERE > (blnHidden = FALSE AND ((fldBody LIKE '%$strCriteria%') OR (fldQuesTitle > LIKE '%$strCriteria%')));
Say $strCriteria comes from one of the values in the $_REQUEST array, a user change is coming through in that variable. so $strCriteria could contain something like "%' OR fldBody = '' or fldBody LIKE '". Things like this would not be very harmful in your select statement but say it was a delete/update/insert statement and your $_REQUEST variable was some kind of primary key. They could delete your whole table, update your whole table, etc. Just make sure that data you get in is what you expect. here is a link that explains it better than I can http://www.sitepoint.com/article/794?ct=1 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
