Hi, On Tue, Aug 8, 2017 at 12:58 PM, Jens Alfke <j...@mooseyard.com> wrote: > >> On Aug 5, 2017, at 6:48 AM, Edmondo Borasio <edmondobora...@gmail.com> wrote: >> >> *$query1="INSERT INTO Table"."(ID,name,surname)"."VALUES(\' ' . $NewID . >> '\','newName','newSurname');"; * > > It’s a very, very bad idea to insert variable strings directly into a SQL > query like this. If the content of those strings is unknown or untrusted data > (as it usually is), it leaves you wide open to SQL Injection Attacks, which > give an attacker full access to your database. This is probably the single > most common form of attack against web applications.
Yup. Just google "Jonny Drop All Tables". ;-) Thank you. > > Your PHP SQLite API includes facilities for safely plugging variables into > the query, similar to printf. You put a placeholder like “?” into the SQL > string and then pass the actual value as a separate parameter to the PHP > function. That’s the right way to do it. (As a bonus, it lets you precompile > the query and reuse it, which speeds up your code.) > > —Jens > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
