Page 1 of 1

safe to add mysql query in body?

Posted: Mon May 10, 2010 1:27 pm
by wurdup
is it safe to put the sql command in the body? The code is in an include file.

Code: Select all

<body>

<?
					
					$sql= "SELECT * FROM products WHERE product_shown='1'";

					$productResult = mysql_query($sql) or die (mysql_error()); 
					
					$p=0;
                	while ($row = mysql_fetch_array($productResult, MYSQL_ASSOC)){ 

}
?>



Re: safe to add mysql query in body?

Posted: Mon May 10, 2010 3:50 pm
by Christopher
Yes, but if you use any user supplied values in your SQL, such as from $_GET, $_POST, etc., then you need to validate them and always use the database's escape function.