Code: Select all
$query = "SELECT * FROM wp_network_members WHERE company LIKE '$_POST[1]'";
Moderator: General Moderators
Code: Select all
$query = "SELECT * FROM wp_network_members WHERE company LIKE '$_POST[1]'";
Code: Select all
$query = "SELECT * FROM wp_network_members WHERE company LIKE '%". mysql_real_escape_string($_POST[1]) ."%'";The entire table would be deleted. Never, ever put post variables directly into a query. You should always escape them first with mysql_real_escape_string().';TRUNCATE `wp_network_members`
. The '%' is a wildcard, much like '*' in regular expressions.MySQL wrote:SELECT * FROM wp_network_members WHERE company LIKE '%$cleaned_posted_content%'
Only the first query prior to ; would be executed, since mysql_query() is only capable of running a single query. But that doesn't mean they won't be able to malicious things to your querypickle wrote:DO NOT RUN THIS QUERY!
What would happen if I submitted a form where $_POST[1] was this:';TRUNCATE `wp_network_members`