On 2003-06-13 14:15-0400, Pushpinder Singh Garcha wrote: > I am trying to execute a simple query using $_POST variables, so > that variable poisoning is not possible. note: I have register_globals > ON on my site. I am getting the error shown below . Please advise ... > as I can't seem to figure out why !
$_POST variables are still subject to poisoning; in your case, SQL injection. The error you're getting, however, is because you have not enclosed your quoted variable references with braces. For example: <?php echo "{$_POST['foo']}"; ?> You should be passing each of those variables through mysql_escape_string() before using them in a query. -Zak -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php