YVES SUCAET wrote:
> One suggestion: you may want put mysql_real_escape_string() wrappers
around
> all those $_POST[] fields to prevent SQL hijacking of your site.
[...]
> mysqli_query($link, $sql) or die("Could not update..." .
Yves, he's using mysqli, not mysql. You should not mix those functions.
What he should do is this:
<?php
$sql = "UPDATE `schreur` set FName=?, LName=?,
email=?, Business=?, Address1=?,
City=?, State=?, Zip=?, Coffee=?,
subscribed=?, date=?, IPAddress=?,
Meeting=? WHERE record=?";
$statement = mysqli_prepare($link, $sql);
mysqli_stmt_bind_param($statement,
'sssssssssisssi',
$_POST['txtFName'],
$_POST['txtLName'],
// etc..
);
mysqli_stmt_execute($statement);
?>
Personally, I find the object style much easier to use than this
procedural style, but I am just being consistent with his code. Using a
prepare query will escape all necessary data automatically, provided
your string of types ('sssssssssisssi') is correct.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
