Since day one of me doing MySQL stuff in PHP, I've always set up my query as a variable then put it into the query function such as this:
$query = "SELECT * FROM bobstuff WHERE id='1'";
$result = mysql_query($query, $connection);
I've just come aware of the security risks of this. How could I make it so the $query variable isn't editable from the URL? Should I turn register_globals off?
"Life is a gift from God. Wasting it is like destroying a gift you got from the person you love most." -- http://www.melchior.us
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php