On Jul 22, 2004, at 10:54 AM, Rick Romero wrote:
phpMember Just does:
$result=mysql_fetch_array(mysql_db_query($db_name, "SELECT * FROM
$tbl_member WHERE login = '$login'"

But that doesn't seem safe to me.

What if I enter this for login:

fred'; DELETE * FROM vpopmail WHERE username != 'fred

Ouch. Be sure to escape the data they provide. Perl provides a nice interface where you use ? in the query, and pass the parameter separately and it automatically escapes it.

As for multiple lines in the table, add a timestamp and then use ORDER BY stamp DESC to get the latest.

Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/

Reply via email to