Php updating database dating driect

It was all set up and working before I saw this topic and tried adding mysql_real_escape_string().

For example, say a person enters this into an input named "username": The extra quote in there will end the query early, and then adds an additional clause, meaning that the statement will always be true, so every single entry in the "customers" table would be selected by this statement.Using this method, someone could insert and run additional code, even deleting tables or dropping the entire database.The mysql_real_escape_string() escapes those potentially malicious characters so they don't affect the query.You could just as easily throw a delete or drop statement in there instead of just commenting off the remainder of the sql statement.This might not be as critical on an internal site for yourself only but its a big deal to worry about when dealing with public facing sites.Additionally for other fields I have elseif (empty($day)

Leave a Reply