On Wed, Apr 04, 2007 at 03:04:56AM +0000, [EMAIL PROTECTED] wrote: > $Query = "SELECT * FROM $Tablename";
You better be VERY careful about the value of $Tablename. If it's set directly by your script, that's fine, since you control what it can be. But if $Tablename comes from user input, you MUST check that $Tablename is a legitimate name before allowing it into a query. For more information about SQL Injection, check out http://phpsec.org/projects/guide/3.html#3.2 --Dan -- T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y data intensive web and database programming http://www.AnalysisAndSolutions.com/ 4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409 _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
