> On Aug 5, 2017, at 6:48 AM, Edmondo Borasio <edmondobora...@gmail.com> wrote: > > *$query1="INSERT INTO Table"."(ID,name,surname)"."VALUES(\' ' . $NewID . > '\','newName','newSurname');"; *
It’s a very, very bad idea to insert variable strings directly into a SQL query like this. If the content of those strings is unknown or untrusted data (as it usually is), it leaves you wide open to SQL Injection Attacks, which give an attacker full access to your database. This is probably the single most common form of attack against web applications. Your PHP SQLite API includes facilities for safely plugging variables into the query, similar to printf. You put a placeholder like “?” into the SQL string and then pass the actual value as a separate parameter to the PHP function. That’s the right way to do it. (As a bonus, it lets you precompile the query and reuse it, which speeds up your code.) —Jens _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users