Of course have to use filters and etc...

Bálint Horváth
On 25 May 2011 09:53, "Vitalii Demianets" <vi...@nppfactor.kiev.ua> wrote:
> On Wednesday 25 May 2011 07:05:18 Negin Nickparsa wrote:
>> my code is this:
>> $query1="select * from patient where id=".$_POST['txt'];
>> it works but
>
> Holy Jesus!
> Can't wait to send to your server POST request with txt="1;DROP DATABASE;
--"
>
> Of course, if you'll switch to prepare statement instead of string
embedding
> there will be no much fun.
>
> --
> Vitalii
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Reply via email to