I didn't look into your problem, but I want to mention one thing that stands
out to me.
--- Frank Tudor <[EMAIL PROTECTED]> wrote:
> $query="SELECT payment FROM payment WHERE
> dln='".$_POST["dln"]."' = payment.dln='".$_POST["dln"]."' and
> users.password='".$_POST["password"]."'";
Never, ever build an SQL query using data directly from the client. You place
yourself at the mercy of every user of your site and their creative potential.
This code constitutes a security vulnerability.
Filter all data, assign it to another variable (so you know it has been
filtered), and then build your query using the filtered data:
$clean['dln'] = '';
if ($_POST['dln'] looks like a valid value)
{
$clean['dln'] = $_POST['dln'];
}
$sql = "... {$clean['dln']} ...";
Something similar to that anyway.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
