On Wednesday 07 July 2004 12:05, Keith Greene wrote:
> on the contrary:
> sql = mysql_query("select * from users where name='".$name."'");
>
> will simply look for a user with a name of "Jim; delete from users;" and
> return no results found.But I can also enter: jim'; delete from users You need to catch if there's a quote in the $name too, and escape that. RDB -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
