Re: Preventing posting of data with Tamper Data
Posted: Fri Mar 20, 2009 12:03 pm
I think you should read this: http://www.logris.org/security/the-unex ... -injection
This code:
is NOT protected against SQL injection. Always use proper quoting, otherwise mysql_real_escape_string doesn't work.
This code:
Code: Select all
$query = 'UPDATE mytable SET username = "'.mysql_real_escape_string($_POST['your_username']).'" WHERE id = '.mysql_real_escape_string($_POST['id'])