> > on the contrary: > > sql = mysql_query("select * from users where name='".$name."'"); > > > > will simply look for a user with a name of "Jim; delete from users;" and > > return no results found. > > But I can also enter: > jim'; delete from users > > You need to catch if there's a quote in the $name too, and escape that.
One thing to remember is mysql_query() will execute just one (the first) query so use of ; won't do anything in the above except break the query. Still though the point is well taken, be sure to add slashes (once) and put single quotes around the criteria ($name) and life will be grand. Quotes around numerical values won't hurt (such as id = '$id') although it's not required. If you choose not to do that then be sure it's numerical before use (like cast it as an int, or check is_numeric(), etc. ...). Some people check for ';' in the request variable and if found yell at the user, that can be fun. bugs.php.net does this. In regards to the controversial magic_quotes_gpc PHP directive, I feel it should remain on by default but if you know what you're doing then set it yourself. Scripts that work everywhere should of course work perfectly with it on or off. php.ini-dist (the default php.ini) has it on while the php.ini-recommended has it off. You must know what you're doing to use the 'recommended' version of php.ini. PHP is a newbie friendly language and newbies are for the most part clueless and don't know what strings or integers are, or why data should be escaped, or what data validation is or why it's important. This is why magical quotes exist as without them just think how many people would keep getting "malicious SQL" in their code and blame PHP, or how seemingly random SQL syntax errors would crop up. For these reasons dealing with "Why do I get \' everywhere????" type questions is worth it, and why magic_quotes_gpc exists as a php.ini directive. Regards, Philip -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php