On 8/14/07, Anthony Wlodarski <[EMAIL PROTECTED]> wrote: > > So I will definitely in the future keep an out for direct $_POST variables > directly in a SQL query (I will just save a local copy from now on and use > that.).
No, you're missing the point. It isn't direct use of the variable from $_POST, it's that the value might contain quotes or other characters that can cause the database to execute SQL that you don't expect. Use the mysql_real_escape_string() function on all values before including them in a query: $query = "SELECT * FROM `jobsdb` WHERE `id` =".mysql_real_escape_string($_POST['id']).""; -- Chris Snyder http://chxo.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
