"Vitalii Demianets" <vi...@nppfactor.kiev.ua> wrote:
>On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
>> my code is this:
>> $query1="select * from patient where id=".$_POST['txt'];
>> it works but
>Can't wait to send to your server POST request with txt="1;DROP
>Of course, if you'll switch to prepare statement instead of string
>there will be no much fun.
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
Prepared statements aren't the only solution, a decent bit of filtering would
work too. In the OPs example he only needed an int, so something like:
$val = intval($_POST['txt']);
Would do the trick. It just means that the value is safe (or at least in an
expected range) for use elsewhere in the code, it may not necessarily only be
restricted to a DB query.
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php