> $query = "UPDATE $table SET field1='$var1' WHERE id='$id'";
I really hope you don't have register_globals on, or you are validating the value of $table before you run this kind of query, otherwise your query is open up to an attack to update any table in the database... $table = "admin SET admin='Yes' WHERE username='John' #"; The # will make the remainder of your query a comment and it'll be ignored by MySQL... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
