> > Half-assed workaround. The correct fix is to modify the call to
> $dbh->prepare() as follows:
> > > $sth = $dbh->prepare("SELECT * FROM login WHERE pid='$mycookpid' &&
agent='$agent' ORDER BY stime DESC");
> > $sth = $dbh->prepare("SELECT * FROM login WHERE pid=" .
> $dbh->quote($mycookpid) .
> " && agent =" .
> $dbh->quote($agent) .
> " ORDER BY stime DESC");
Actually the safe way would be to:
$sth = $dbh->prepare("SELECT * FROM login WHERE pid = ? AND agent = ? ORDER BY
stime DESC");
$sth->execute($mycookpid, $agent);
By using placeholders, your scalars can contain anything you like, without
having malicious side effects.
Greetings,
Kenneth van Grinsven
