> On Aug 5, 2017, at 6:48 AM, Edmondo Borasio <edmondobora...@gmail.com> wrote:
> *$query1="INSERT INTO Table"."(ID,name,surname)"."VALUES(\' ' . $NewID .
> '\','newName','newSurname');"; *
It’s a very, very bad idea to insert variable strings directly into a SQL query
like this. If the content of those strings is unknown or untrusted data (as it
usually is), it leaves you wide open to SQL Injection Attacks, which give an
attacker full access to your database. This is probably the single most common
form of attack against web applications.
Your PHP SQLite API includes facilities for safely plugging variables into the
query, similar to printf. You put a placeholder like “?” into the SQL string
and then pass the actual value as a separate parameter to the PHP function.
That’s the right way to do it. (As a bonus, it lets you precompile the query
and reuse it, which speeds up your code.)
sqlite-users mailing list