> On Aug 5, 2017, at 6:48 AM, Edmondo Borasio <edmondobora...@gmail.com> wrote:
> *$query1="INSERT INTO Table"."(ID,name,surname)"."VALUES(\' ' . $NewID .
> '\','newName','newSurname');"; *

It’s a very, very bad idea to insert variable strings directly into a SQL query 
like this. If the content of those strings is unknown or untrusted data (as it 
usually is), it leaves you wide open to SQL Injection Attacks, which give an 
attacker full access to your database. This is probably the single most common 
form of attack against web applications.

Your PHP SQLite API includes facilities for safely plugging variables into the 
query, similar to printf. You put a placeholder like “?” into the SQL string 
and then pass the actual value as a separate parameter to the PHP function. 
That’s the right way to do it. (As a bonus, it lets you precompile the query 
and reuse it, which speeds up your code.)

sqlite-users mailing list

Reply via email to