Posted: Sun Apr 15, 2007 8:10 pm
If you're placing user input into a query and you aren't properly escaping the input (mysql_real_escape_string()), you are vulnerable.Mightywayne wrote:I am, but if they have no field to insert SQL commands into, how will they put the SQL in?
You can insert any characters you like into a database, providing they are properly escaped. If you were to use mysql_real_escape_string() on user input (which escapes all quotes), you're queries won't be malformed. If you're still having problems, at least post the queries you're having trouble with.Mightywayne wrote:Edit 2: Okay, I got it I think. I can't use double quotes for my message, which kinda sucks, I'm sure I'll figure out a way for it work eventually. The problem was inserting '$log', instead I did "$log" and it loved me again.