Page 2 of 2

Re: Preventing posting of data with Tamper Data

Posted: Fri Mar 20, 2009 12:03 pm
by Mordred
I think you should read this: http://www.logris.org/security/the-unex ... -injection
This code:

Code: Select all

$query = 'UPDATE mytable SET username = "'.mysql_real_escape_string($_POST['your_username']).'" WHERE id = '.mysql_real_escape_string($_POST['id'])
is NOT protected against SQL injection. Always use proper quoting, otherwise mysql_real_escape_string doesn't work.