On Thu, Mar 17, 2005 at 11:01:44AM -0500, John Taylor-Johnston wrote: > Hi, > > I've read: > > > http://dev.mysql.com/doc/mysql/en/create-table.html > > Would anyone code/approach this differently? [...] > $sql = "INSERT INTO $table > (StudentNumber,Exercise1,Exercise2) values > ('$StudentNumber','$Exercise1','$Exercise2')"; > > mysql_select_db($db,$myconnection); > mysql_query($sql) or die(print mysql_error()); > your example looks pretty solid, but the code above does not escape the $StudentNumber, $Exercise1, and $Exercise2 variables. If any of these variables contain data that when placed into the SQL string interferes with the SQL itself, you'll have unexpected failures and also a security hole if untrusted users can populate those variables. The solution is to wrap any strings or untrusted input like that in a call to mysql_escape_string(), like so: $sql = "INSERT INTO $table (StudentNumber,Exercise1,Exercise2) values ('". mysql_escape_string($StudentNumber)."','". mysql_escape_string($Exercise1)."','". mysql_escape_string($Exercise2)."')"; -jw -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
