On 2003-06-13 14:15-0400, Pushpinder Singh Garcha wrote:
> I am trying to execute a simple query using $_POST variables, so
> that variable poisoning is not possible. note: I have register_globals
> ON on my site. I am getting the error shown below . Please advise ...
> as I can't seem to figure out why !
$_POST variables are still subject to poisoning; in your case, SQL
injection. The error you're getting, however, is because you have not
enclosed your quoted variable references with braces. For example:
<?php
echo "{$_POST['foo']}";
?>
You should be passing each of those variables through
mysql_escape_string() before using them in a query.
-Zak
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
