On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote: > my code is this: > $query1="select * from patient where id=".$_POST['txt']; > it works but Holy Jesus! Can't wait to send to your server POST request with txt="1;DROP DATABASE; --" Of course, if you'll switch to prepare statement instead of string embedding there will be no much fun. -- Vitalii -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
