Ford, Mike [LSS] wrote:
$chkboxes = $_POST['ch']; $sql = 'SELECT '; foreach($chkboxes as $k => $v) { $sql .= $v; if($k < (sizeof($chkboxes) - 1)) { $sql .= ', '; } } $sql .= ' FROM form';
$sql = 'SELECT ' . implode(', ', $chkboxes) . 'FROM form';
Just note that with either solution, someone can post a value of "* FROM table WHERE 1#" and see everything in any table in your database.
--
---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php