The problem is that if you set the post directly to the query it's available
to be an attach code in the field... (eg. DROP DATABASE;) it's called to
"SQL injection"...

what I mean on filtering:
always check the values in query eg.: $id = $_POST['id'];
if(is_numeric($id)){...}else{bad post}
and at other fields u can use eg. strstr() etc...

On Wed, May 25, 2011 at 4:38 PM, Negin Nickparsa <nickpa...@gmail.com>wrote:

> Tnx to all:D
> Paul you are absolutly right:D
> it was a bad mistake from me
> there was no need 2 convert it
> Balint helped me n with mysql_error i found that
> my code hasn't any mistake
> i just forgot the BIG thing!
> selecting db:D
> i totally forgot it because i had array keys with if statement n in there i
> selected it
> but in the last one of them i forgot 2 set the selection of DB
> Ashley what is OP? and filtering i didn't understand
> Andre why u r telling me
> Note: you *didn't* execute the query by calling mysql_query on it.
> if it doesn't execute the query then what's it doing?
> Reply
> Vitalli believe me that i tried it n i can send the string without  error i
> tried it:
> $query1="select * from patient where id=".$_POST['txt'];
> it works! after i found my error i tried it 2 n it was right!!!
>

Reply via email to