Bruce Gilbert wrote:
//build and issue query
$sql = "INSERT INTO $table_name values ('', '$_POST[f_name]',
'$_POST[l_name]', '$_POST[address1]', '$_POST[address2]',
'$_POST[address3]', '$_POST[postcode]', '$_POST[country]',
'$_POST[prim_tel]', '$_POST[sec_tel]', '$_POST[email]',
'$_POST[birthday]')";
Holy riddled-with-security-holes batman! Strange that no one has jumped
on this. That code could be easily hijacked to do nasty things to your
server. Google "sql injection php" or something like that and you'll
get lots of resources. E.g.:
http://dev.mysql.com/tech-resources/articles/guide-to-php-security.html
PS - Hello all! This is my first post to the list; I've been lurking
for a week or two.
--
Max Schwanekamp
http://www.neptunewebworks.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
