Re: Re: session variable in select query showing picture from database

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

>> $band_id = $_SESSION['session_var'];
>> $query="SELECT * FROM pic_upload WHERE band_id=$band_id";

It's always better not to concatenate user input into queries, otherwise
you are vulnerable to SQL Injection attacks:

  http://www.sans.org/top25errors/#cat1

Use bind variables with the appropriate syntax for your database.

Chris

--
Email: christopher.jones@xxxxxxxxxx  Tel: +1 650 506 8630
Twitter:  http://twitter.com/ghrd    Free PHP Book: http://tinyurl.com/UGPOM

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]
  Powered by Linux