On Wednesday 18 August 2004 20:07, Ford, Mike [LSS] wrote:
> > > $sql = 'SELECT ' . implode(', ', $chkboxes) . 'FROM form';
> >
> > Just note that with either solution, someone can post a value of "*
> > FROM table WHERE 1#" and see everything in any table in your database.
>
> I was waiting for someone to come in with a security warning, but knew that
> whoever it was would express it much better than I could ;) -- so, a gold
> medal to John!!
The trouble is that it's a never ending task. Almost every question concerning
sql queries and accepting info from POST, GET etc have security implications
if data is not sanitised. Where do you begin? Where do you end?
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-db
------------------------------------------
/*
Everything is worth precisely as much as a belch, the difference being
that a belch is more satisfying.
-- Ingmar Bergman
*/
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
