Eric Butera wrote:
$result = mysql_query($query) or die(mysql_error());
You know guys, after seeing all this talk of sql injection over the
past few days, I'd also like to point out or die is pretty bad too.
Especially when coupled with mysql_error(). It can expose sensitive
system info (security vuln) when a simple if (!$result) { show error
page } would have worked. I know I laugh and leave whenever I see
such an error on some site I stumble across.
yay - well said eric :)
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php