| Ben Stones 2008-01-03, 3:59 am |
| Thanks all for your replies. Much appreciated. I have edited the code and
took points into account:
$con = mysql_connect("localhost","ben_test","removed") or die("con");
$db = mysql_select_db("ben_test") or die("db");
$sql1 = mysql_query("INSERT INTO `comments` (`messages`) VALUES
($comments)") or die("insert");
$mysql_query_one = mysql_query("SELECT * FROM `comments`");
while($rows=mysql_fetch_array($mysql_que
ry_one)) {
echo $rows['messages'] . "[br /]";
Okay, the browser outputted "insert" so it has to be something to do with
the insert sql syntax I have added. Not sure if its over-riding the same
content added as before or something.
Any help once again is appreciated.
Thank you,
Ben Stones.
On Jan 3, 2008 3:16 AM, Benjamin Darwin <bddarwin@gmail.com> wrote:
> Ben:
>
> First, using a $_POST value directly into a MySQL query is EXTREMELY
> unsafe. Always filter data from any source to make sure it's what you
> expect. SQL injection is one of the easiest ways to cause real damage
> to a website. http://en.wikipedia.org/wiki/SQL_injection
>
> Check out this fuction for making the string safe:
> http://us2.php.net/manual/en/functi...cape-string.php
> Also, try and strip out any characters that don't belong in the string
> anyway, just as added security.
>
> Good luck learning PHP.
>
> --Another person who happens to be named Ben
>
> I've also put a few edits in the code.
> On Jan 2, 2008 9:57 PM, Ben Stones <bastones@googlemail.com> wrote:
> display
> more
> the
>
|