Quoting Stephan Beal <sgb...@googlemail.com>:
On Wed, Oct 5, 2011 at 6:56 PM, C Lindgren <list_bo...@bizotd.com> wrote:
if (isset ($_post ['submit'] )) {
Aside from this use of POST being a huge security hole, $_post is spelled
wrong: it whould be $_POST (or $_REQUEST if you want to treat GET/POST the
same).
$sql=$db->exec("INSERT INTO
users(ID,username,password)
VALUES
('0','".$username."','".$**password."')");
If it's not clear why that is a huge security hole, google for "sql
injection attack" and then read up on PDO::prepare() for how to avoid that
problem:
http://php.net/manual/en/pdo.prepare.php
--
----- stephan beal
http://wanderinghorse.net/home/stephan/
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Thanks...
So, I can eliminate the $_POST block of code and replace it with
PDO::prepare() then execute it with PDOStatement::execute() ?
I'm sure I'll have additional questions after I rewrite that code block.
Even though this is in an intranet environment it's nice to know!
Thanks again for your straight answer.
--
C Lindgren
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
