Everybody seems to agree on escaping :-) And I'm learning! HEREDOC, nifty indeed! How about your $_POST variable, is there anything in there? On Wed, Aug 27, 2008 at 6:38 PM, Jason Pruim <japruim@xxxxxxxxxx> wrote: > > On Aug 27, 2008, at 12:24 PM, Evert Lammerts wrote: > >> Your index.php looks very strange: >> >>> <?PHP >>> >>> <form method="post" action="purlprocess.php"> >>> .... >>> </form> >>> >>> ?> >> >> I'm guessing you're echoing this? I never echo from my scripts so I >> don't know if this is new functionality, but in my days you echoed >> either by <?="...";?> or by <? echo "..."; ?>. > > It is a index.php page using the HEREDOC syntax... so basically: > echo <<<HTML <P>any HTML code goes here > HTML; > > pretty nifty I feel. > >> >> >> Anyway, since you're using the $_POST variable, did you check if it >> contains any values? You can do this with var_dump($_POST); Let us >> know what the results are. >> >> Another tip: >> >>> $FName= $_POST['txtFName']; >>> etc >> >> is terrible practice - if anybody writes an SQL command into one of >> your textfields it WILL be executed; this is called SQL injection. A >> less terrible scenario, but still one that messes up your page, is if >> somebody uses quotes. So always use mysql_real_escape_string() on your >> post variables before using them in a query. > > mysql_real_escape_string() won't help with my mysqlI connection though :) > > I will be wrapping the whole thing in a prepared statement before going to > production with this. At this point this is simply a proof of concept for > the boss. > -- > > Jason Pruim > Raoset Inc. > Technology Manager > MQC Specialist > 11287 James St > Holland, MI 49424 > www.raoset.com > japruim@xxxxxxxxxx > > > > > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
