the issue isn't with query, it's with variables used within queries... example: $id = $_GET['id']; $query = "SELECT * FROM mytable WHERE id=$id";
and if you call this page as (or something like this): ?id='' OR 1=1 You can alter the query -js Stephen wrote: > Since day one of me doing MySQL stuff in PHP, I've always set up my > query as a variable then put it into the query function such as this: > > $query = "SELECT * FROM bobstuff WHERE id='1'"; > $result = mysql_query($query, $connection); > > I've just come aware of the security risks of this. How could I make it > so the $query variable isn't editable from the URL? Should I turn > register_globals off? > > Thanks, > Stephen Craton > http://www.melchior.us > > "Life is a gift from God. Wasting it is like destroying a gift you got > from the person you love most." -- http://www.melchior.us > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
