I'd always understood that mysql doesn't allow multiple statements to be
submitted so this post obviously worried me. I did some tests and confirmed
that this is not a problem in MySQL queries from PHP. If I'm wrong about
this please let me know.
Tim
----------
From: scott [gts] [SMTP:[EMAIL PROTECTED]]
Sent: 01 August 2001 18:03
To: php
Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's
wrong
no offense to you sam, but please dont ever simply place
single quotes around values. you have to escape the values
*themselves*.
what if someone submitted the form field title as:
$title = "'; DELETE FROM seminar; "
if you didn't escape the single quotes in there, it
would get interpreted as a valid DELETE statement
and your seminar table would get wiped.
however, if you escaped $title, you'd end up setting
title to "\'; DELETE FROM SEMINAR; "
(rather than have the contents of $title interpreted
as SQL commands)
> -----Original Message-----
> From: Sam Masiello [mailto:[EMAIL PROTECTED]]
> Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's
wrong
>
>
> You will need to put single quotes around your variables in your
SQL
> statement. Like this:
>
> $sql = "UPDATE TABLE seminar SET
>
title='$title',speaker='$speaker',event_date='$tdate',time='$time',bldg='$bu
> ilding'
> ,rm='$room' WHERE id='$id'";
>
> Without the quotes, SQL doesn't know that Something Amazing is
supposed to
> go together in the same string.
>
> HTH
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
