Hi Viktor,
Viktor Popov wrote:
Hi,
I'm trying to do the following but I don't have any success. Could you help me here... I have this code in mu page:
<?php include "script/functions.php"; require 'script/common.inc'; $valid = TRUE;
if (isset ($_POST['submit'])) { foreach($_POST as $key=>$value) { $$key = $value; }
This is a huge security hole, far better is to do this:
if (isset ($_POST['submit'])) {
foreach (array('field1', 'field2', 'field3') as $allowedfield) {
if (isset($_POST[$allowedfield])) {
$$allowedfield = $_POST[$allowedfield];
}
}
}In addition, you really need to use mysql_escape_string() to avoid serious potential problems with sql injection attacks.
[NOTE: mysql_db_query() is deprecated, use mysql_query()/mysql_select_db()]
mysql_select_db($DB);
mysql_query('INSERT INTO blahbalhblahblah VALUES("' . mysql_escape_string($field1) . '" ....');
Regards, Greg
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
