Thank you for the thought, however, I don't have a shell that I can run in, hence, I have to rely on help from others. ""JupiterHost.Net"" <mlists@xxxxxxxxxxxxxxx> wrote in message news:449CA3D9.8080702@xxxxxxxxxxxxxxxxxx > > > Grae Wolfe - PHP wrote: >> Sorry I have been out of touch... I thought I had this problem beat, >> but I was wrong. I decided that the best thing to do was to filter the >> variables as the $sql statement was being created. I tried using the >> following code, and got a message back that it was invalid and my Query >> couldn't execute... Can anyone tell me where I screwed this one up?? > > Print out $sql and then try to manually do it in your mysql (or whatver DB > engine) shell. > > I imagine you have a syntax error and that will tell you exactly what and > where it is :) > > And I hope you're only criteria for the value of each colum isn't that its > just not empty. > > If so you will be vilnerable to SQL injection attacks and your data will > be compromised. You should at the very least quote the values with a valid > SQL quoting function. (IE not just wraping it in quotes but one that > actually escapes certain characters and wraps it in quotes as need be) > > Do not rely on that automaticaly being done (IE think how crappliy > unreliable and dangerous relying on "Magic Quotes" is, oi what pile *that* > is...) -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
