Escape it, use either htmlentities (with ENT_QUOTES) or addslashes. -- itoctopus - http://www.itoctopus.com ""Richard Lynch"" <ceo@xxxxxxxxx> wrote in message news:45049.216.230.84.67.1174937044.squirrel@xxxxxxxxxxxxxxxx > On Mon, March 26, 2007 9:59 am, Ross wrote: > > Can I put post values directly into insert statements? > > > > $query = "INSERT INTO categories (category_name) VALUES > > ('$_POST['cat_name'])"; > > Sure! > > If you want your webserver to get hacked by the Bad Guys, just go > right ahead and do that. > > [that was tounge-in-cheek] > > Start reading here: > http://phpsec.org > > -- > Some people have a "gift" link here. > Know what I want? > I want you to buy a CD from some indie artist. > http://cdbaby.com/browse/from/lynch > Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
