I'd always understood that mysql doesn't allow multiple statements to be
submitted so this post obviously worried me. I did some tests and confirmed
that this is not a problem in MySQL queries from PHP. If I'm wrong about
this please let me know.


        From:  scott [gts] [SMTP:[EMAIL PROTECTED]]
        Sent:  01 August 2001 18:03
        To:  php
        Subject:  RE: [PHP] SQL syntax error in PHP script.  dunno what's

        no offense to you sam, but please dont ever simply place
        single quotes around values.  you have to escape the values

        what if someone submitted the form field title as:
        $title = "'; DELETE FROM seminar; "

        if you didn't escape the single quotes in there, it
        would get interpreted as a valid DELETE statement
        and your seminar table would get wiped.

        however, if you escaped $title, you'd end up setting
        title to "\'; DELETE FROM SEMINAR; " 
        (rather than have the contents of $title interpreted
        as SQL commands)

        > -----Original Message-----
        > From: Sam Masiello [mailto:[EMAIL PROTECTED]]
        > Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's
        > You will need to put single quotes around your variables in your
        > statement.  Like this:
        > $sql = "UPDATE TABLE seminar SET
        > ilding'
        > ,rm='$room'  WHERE id='$id'";
        > Without the quotes, SQL doesn't know that Something Amazing is
supposed to
        > go together in the same string.
        > HTH

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to