Gabe wrote:
Can someone help me understand how people are able to use SQL maliciously if you don't protect against it in PHP? For example, I've written a very simple search SQL statement that takes the value of a variable for the search criteria ( from a webpage form ). I don't understand how someone could enter an SQL statement that could be malicious. Here's the SQL statement that I run once I have the search criteria stored in $strCriteria:
SELECT autoQuesID, fldQuesTitle, fldBody FROM tblFAQ_Question WHERE (blnHidden = FALSE AND ((fldBody LIKE '%$strCriteria%') OR (fldQuesTitle LIKE '%$strCriteria%')));
I know in general that protecting against someone entering SQL is a must . So I guess I'm just wondering if anyone has any real-world experience with how people can take advantage of SQL and forms.
Thanks!
Gabe
That was very helpful. Thanks!
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
