Can somebody give me some general hints how to prevent sql-injection? I always go this way to build my queries:
function clean_mysql_string($string) { $clean_string = stripslashes($string); $clean_string = htmlentities(strip_tags(($clean_string))); $clean_string = trim($clean_string); $clean_string = rtrim($clean_string); $clean_string = mysql_real_escape_string($clean_string); return($clean_string); } $searchstring = clean_mysql_string($_POST["searchstring"]); $query = " SELECT id,uname,nickname, MATCH(uname,nickname) AGAINST('$searchstring' IN BOOLEAN MODE) AS mtch FROM wlh_accounts HAVING mtch > 0.001 ORDER BY mtch DESC"; $results = mysql_query($query); while ($row = mysql_fetch_array($results, MYSQL_ASSOC)) { $values[] = array ( "id" => $row["id"], "uname" => $row["uname"], "nickname" => $row["nickname"], "mtch" => $row["mtch"] ); } Is this safe?? -- Jochen Kaechelin, fvgi242ss, wlanhacking.de http://mail.wlanhacking.de/cgi-bin/mailman/listinfo -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]