"Vitalii Demianets" <vitas@xxxxxxxxxxxxxxxxx> wrote: >On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote: >> my code is this: >> $query1="select * from patient where id=".$_POST['txt']; >> it works but > >Holy Jesus! >Can't wait to send to your server POST request with txt="1;DROP >DATABASE; --" > >Of course, if you'll switch to prepare statement instead of string >embedding >there will be no much fun. > >-- >Vitalii > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php Prepared statements aren't the only solution, a decent bit of filtering would work too. In the OPs example he only needed an int, so something like: $val = intval($_POST['txt']); Would do the trick. It just means that the value is safe (or at least in an expected range) for use elsewhere in the code, it may not necessarily only be restricted to a DB query. Thanks Ash -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
