Grae Wolfe - PHP wrote:
Sorry I have been out of touch... I thought I had this problem beat, but I was wrong. I decided that the best thing to do was to filter the variables as the $sql statement was being created. I tried using the following code, and got a message back that it was invalid and my Query couldn't execute... Can anyone tell me where I screwed this one up??
Print out $sql and then try to manually do it in your mysql (or whatver DB engine) shell.
I imagine you have a syntax error and that will tell you exactly what and where it is :)
And I hope you're only criteria for the value of each colum isn't that its just not empty.
If so you will be vilnerable to SQL injection attacks and your data will be compromised. You should at the very least quote the values with a valid SQL quoting function. (IE not just wraping it in quotes but one that actually escapes certain characters and wraps it in quotes as need be)
Do not rely on that automaticaly being done (IE think how crappliy unreliable and dangerous relying on "Magic Quotes" is, oi what pile *that* is...)
-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
