--- Jason Wong <[EMAIL PROTECTED]> wrote: > > $username = trim(addslashes($_POST['user_name'])); > > $pass = trim(addslashes($_POST['password'])); > > addslashes() is not needed as you're performing SELECT query > and not an INSERT query.
That's not true, since he's using user data in the SQL statement. The query method has nothing to do with whether data should be escaped. Of course, addslashes() is sort of a last result with regard to escaping data for use in a query. The more preferable options are those native to the database you're using, if they exist. MySQL users can use mysql_escape_string(), for example. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming Fall 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php