Since day one of me doing MySQL stuff in PHP, I've always set up my query as a variable then put it into the query function such as this:
    $query = "SELECT * FROM bobstuff WHERE id='1'";
    $result = mysql_query($query, $connection);
I've just come aware of the security risks of this. How could I make it so the $query variable isn't editable from the URL? Should I turn register_globals off?

Stephen Craton
"Life is a gift from God. Wasting it is like destroying a gift you got from the person you love most." --
PHP General Mailing List (
To unsubscribe, visit:

Reply via email to