This thread has been great! I've learned so much useful stuff.
> For instance, if you expect a variable called $firstname to contain
> a name to be stored in a SQL database, be certain it does not contain
> SQL commands which can damage your database.
This is another thing I'd be interested in hearing more about. If all you
are doing is storing and retrieving data, what commands could possibly
be defined that could damage your database?
$firstName = "Chris";
mysql_query( "INSERT INTO names ( first_name ) VALUES ( \"$firstName\" )" );
$result = mysql_query( "SELECT first_name FROM names" );
while( $dataArray = mysql_fetch_assoc( $result )) {
echo $dataArray["first_name"]
}
If $firstName was set by a form submission, what malicious SQL code could
damage your database? All you are doing is storing, retreiving and displaying
data...
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
