On Feb 18, 2008 6:56 PM, Chris <dmagick@xxxxxxxxx> wrote:
> $query = "INSERT INTO artist (name,about_u,imgdata, profile_url)
> VALUES('$aname','$aboutu','$uploadedImage','$url_provided')";
>
> You have an sql injection problem here. Read up about that on the
> phpsec.org site:
>
> http://phpsec.org/projects/guide/3.html#3.2
>
> and a really good basic guide here:
>
> http://unixwiz.net/techtips/sql-injection.html
And in addition to the links Chris suggested, also RTFM on
mysql_real_escape_string(). It'll be your new best friend (unless
you're already using mysqli).
--
</Dan>
Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
