> $query = "UPDATE $table SET field1='$var1' WHERE id='$id'";

I really hope you don't have register_globals on, or you are validating the
value of $table before you run this kind of query, otherwise your query is
open up to an attack to update any table in the database...

$table = "admin SET admin='Yes' WHERE username='John' #";

The # will make the remainder of your query a comment and it'll be ignored
by MySQL...

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to