A quick suggestion would be to build your query normally and then don't run the query if it has a semicolon that isn't inside quotes. Also, use single quotes in the update to make your checks easier:
UPDATE table_name SET field1='value1' -----Original Message----- From: Ronald Wiplinger To: [EMAIL PROTECTED] Sent: 3/1/02 6:00 PM Subject: [PHP-DB] Security concern with web forms (update of MySQL data base) A php page, which includes an update statement for a MySQL data base: I am trying to figure out, how I can make sure that an update form on the web cannot include codes, that would update other parts of the database (or worse destroy a database). bye Ronald Ronald Wiplinger (ÃQ¤¯¯Ç), CEO, ELMIT - The Solution Provider Tel. +886 2 8809-7680, Fax. +886 2 2809-0183, Mobile: +886 915 653-452 Net2Phone:8869550066, ICQ: 111651169 http://www.elmit.com http://www.wiplinger.org -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php