On Sat, Mar 07, 2009 at 05:53:21AM -0800, hugocoolens wrote: > I have a little php-script to help me learn foreign languages > In my php-code I have the following line: > $query="update wordlist set known=true where dutch='".$preceding."'";
With this kind of line, you are inviting an SQL injection as illustrated below: http://xkcd.com/327/ Instead, use pg_prepare() and pg_execute() for this kind of thing. Cheers, David. -- David Fetter <[email protected]> http://fetter.org/ Phone: +1 415 235 3778 AIM: dfetter666 Yahoo!: dfetter Skype: davidfetter XMPP: [email protected] Remember to vote! Consider donating to Postgres: http://www.postgresql.org/about/donate -- Sent via pgsql-general mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
