Thank you for the thought, however, I don't have a shell that I can run in, 
hence, I have to rely on help from others.

""JupiterHost.Net"" <[EMAIL PROTECTED]> wrote in message 
> Grae Wolfe - PHP wrote:
>>   Sorry I have been out of touch...  I thought I had this problem beat, 
>> but I was wrong.  I decided that the best thing to do was to filter the 
>> variables as the $sql statement was being created.  I tried using the 
>> following code, and got a message back that it was invalid and my Query 
>> couldn't execute...  Can anyone tell me where I screwed this one up??
> Print out $sql and then try to manually do it in your mysql (or whatver DB 
> engine) shell.
> I imagine you have a syntax error and that will tell you exactly what and 
> where it is :)
> And I hope you're only criteria for the value of each colum isn't that its 
> just not empty.
> If so you will be vilnerable to SQL injection attacks and your data will 
> be compromised. You should at the very least quote the values with a valid 
> SQL quoting function. (IE not just wraping it in quotes but one that 
> actually escapes certain characters and wraps it in quotes as need be)
> Do not rely on that automaticaly being done (IE think how crappliy 
> unreliable and dangerous relying on "Magic Quotes" is, oi what pile *that* 
> is...) 

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to