The fact that you're using placeholders will prevent an SQL injection attack from happening. You're good to go.
-----Original Message----- From: James H. McCullars [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 12, 2008 1:27 PM To: [email protected] Subject: security advice needed Hi, we have a special address that our users can forward spam complaints to, and the number of complaints is exceeding what I can deal with manually. So I am thinking of automating this process and populating a database with things like local user, sending IP, sending relay address, subject, etc for each spam complaint that comes in. So I need to make sure that if I do something like the standard: $sth = $dbh->prepare("INSERT INTO table(foo,bar,baz) VALUES (?,?,?)"); and use the contents of the "Subject:" line as a value, some spammer couldn't put SQL code in the subject and have it interpreted. Something like: Subject: Increase your money; "hello; use mysql; drop table users;" or something to that effect. Would someone be able to do this, and if so, how would I guard against it? Thanks... Jim McCullars University of Alabama in Huntsville
