* Thus wrote Torsten Roehr: > "Harlequin" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > Another day another problem. This time it appears that users are able to > > enter their details but I get a query execution error with the following > > section of code: > > > > /* Verify Login */ > > $sql = "SELECT UserFirstName,UserID,UserPassword FROM RegisteredMembers > > WHERE UserID='$_POST[TXT_UserID]'"; > > If your user id is of type int you don't need the quotes around the value. > But you definitely need quotes around your POST array key: > $sql = "SELECT UserFirstName,UserID,UserPassword FROM RegisteredMembers > WHERE UserID = $_POST['TXT_UserID']";
Don't forget the {}'s "... WHERE UserID = {$_POST['TXT_UserID']}"; And to take it a step further: what if I passed: <input name="TXT_UserID" value="1 or 1=1"> Guess what... I bypassed your security. Validate/Make sure you're data is what you expect, a simple: $userid = (int) $_POST['TXT_UserID']; $sql = "... WHERE UserID = $userid"; Will fix that problem. Curt -- First, let me assure you that this is not one of those shady pyramid schemes you've been hearing about. No, sir. Our model is the trapezoid! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php