I'd always understood that mysql doesn't allow multiple statements to be
submitted so this post obviously worried me. I did some tests and confirmed
that this is not a problem in MySQL queries from PHP. If I'm wrong about
this please let me know.
From: scott [gts] [SMTP:[EMAIL PROTECTED]]
Sent: 01 August 2001 18:03
Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's
no offense to you sam, but please dont ever simply place
single quotes around values. you have to escape the values
what if someone submitted the form field title as:
$title = "'; DELETE FROM seminar; "
if you didn't escape the single quotes in there, it
would get interpreted as a valid DELETE statement
and your seminar table would get wiped.
however, if you escaped $title, you'd end up setting
title to "\'; DELETE FROM SEMINAR; "
(rather than have the contents of $title interpreted
as SQL commands)
> -----Original Message-----
> From: Sam Masiello [mailto:[EMAIL PROTECTED]]
> Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's
> You will need to put single quotes around your variables in your
> statement. Like this:
> $sql = "UPDATE TABLE seminar SET
> ,rm='$room' WHERE id='$id'";
> Without the quotes, SQL doesn't know that Something Amazing is
> go together in the same string.
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]