After some comments on my code I went on a 'fieldtrip' to learn about sql injection... Now after testing some examples with single and double quotes and mysql comment (--) I haven't find any way to insert edit or delete any data in the database. The loginscript is rather simple: $query="SELECT FROM persons WHERE login='$login' AND password='$password'"; $result=mysql_query($query) or die(mysql_error()); The form has action POST. Now magic_quotes_gpc escapes every quote I insert. Does this mean with magic_quotes_gpc on I am secured enough concerning mysql-injection through forms? Thx -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
