On 24 June 2011 15:44, Vitalii Demianets <vi...@nppfactor.kiev.ua> wrote: > On Friday 24 June 2011 17:28:08 Chris Stinemetz wrote: >> That worked perfectly! > > And will work, until you decide to put quotes in button name for some reason. > And until some malicious user forge POST request with > $_POST['post_tptest'] = "'; DROP DATABASE; --" > But you can use prepared statements to be safe ) ...and they don't need all > those fancy quoting/escaping/sanitizing ...and they have advantages for > repetitive operations. > And furthermore, I think Carthage must be destroyed.
http://xkcd.com/327/ -- Richard Quadling Twitter : EE : Zend : PHPDoc @RQuadling : e-e.com/M_248814.html : bit.ly/9O8vFY : bit.ly/lFnVea -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php