On Wednesday 07 July 2004 12:05, Keith Greene wrote: > on the contrary: > sql = mysql_query("select * from users where name='".$name."'"); > > will simply look for a user with a name of "Jim; delete from users;" and > return no results found.
But I can also enter: jim'; delete from users You need to catch if there's a quote in the $name too, and escape that. RDB -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php