"Vitalii Demianets" <vi...@nppfactor.kiev.ua> wrote:

>On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
>> my code is this:
>> $query1="select * from patient where id=".$_POST['txt'];
>> it works but
>Holy Jesus!
>Can't wait to send to your server POST request with txt="1;DROP
>Of course, if you'll  switch to prepare statement instead of string
>there will be no much fun.
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php

Prepared statements aren't the only solution, a decent bit of filtering would 
work too. In the OPs example he only needed an int, so something like:

$val = intval($_POST['txt']);

Would do the trick. It just means that the value is safe (or at least in an 
expected range) for use elsewhere in the code, it may not necessarily only be 
restricted to a DB query.

Sent from my Android phone with K-9 Mail. Please excuse my brevity.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to