None of the previous posts added any security...
They all ONLY provided different syntax to leave your database wide
open for abuse.
This is much safer:
$cat_name_sql = myqsl_real_escape_string($_POST['cat_name']);
$query = "insert into categories (category_name) values
('$cat_name_sql')";
You could/should also check for what you consider valid characters in
a 'cat_name'
if (!preg_match("|^[a-z0-9_ -]+$|i', $_POST['cat_name'])){
//tell the user their cat_name is invalid, and don't do the INSERT
}
On Mon, March 26, 2007 10:14 am, Ross wrote:
> thanks.
>
> ""Ross"" <ross@xxxxxxxxxxxxx> wrote in message
> news:8F.10.54015.9CFD7064@xxxxxxxxxxxxxxx
>> Can I put post values directly into insert statements?
>>
>> $query = "INSERT INTO categories (category_name) VALUES
>> ('$_POST['cat_name'])";
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
--
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/browse/from/lynch
Yeah, I get a buck. So?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
