>> $band_id = $_SESSION['session_var'];
>> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";

It's always better not to concatenate user input into queries, otherwise
you are vulnerable to SQL Injection attacks:

  http://www.sans.org/top25errors/#cat1

Use bind variables with the appropriate syntax for your database.

Chris

--
Email: christopher.jo...@oracle.com  Tel: +1 650 506 8630
Twitter:  http://twitter.com/ghrd    Free PHP Book: http://tinyurl.com/UGPOM

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to