Jason Pruim wrote:
On Sep 11, 2007, at 1:22 PM, Instruct ICC wrote:
Also read http://en.wikipedia.org/wiki/SQL_injection
I have read about SQL injection, and I will be scrubbing the data before
searching but the search is only available after logging into the
system. No one who isn't logged in can even view the page :)
That couldn't be less relevant. Repeat after me... "Legitimate" users
can be malicious too. All data going into a SQL statement needs to be
escaped unless it's a hard-coded string. No exceptions. Ever.
-Stut
--
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
