Of course have to use filters and etc... Bálint Horváth On 25 May 2011 09:53, "Vitalii Demianets" <vitas@xxxxxxxxxxxxxxxxx> wrote: > On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote: >> my code is this: >> $query1="select * from patient where id=".$_POST['txt']; >> it works but > > Holy Jesus! > Can't wait to send to your server POST request with txt="1;DROP DATABASE; --" > > Of course, if you'll switch to prepare statement instead of string embedding > there will be no much fun. > > -- > Vitalii > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php >
