Ghenis Posted November 27, 2008 Report Posted November 27, 2008 Nē, stringi vaicājumā arī jāiekļauj vienpēdiņās Piemērs <?php $var = mysql_real_escape_string($var); $res = mysql_query("SELECT * FROM table WHERE field = $var"); //Ja $var buus -1 UNION SELECT * FROM anotherTable /*, tad izpildiisies :-) $res2 = mysql_query("SELECT * FROM table WHERE field = '$var' "); //Viss ir jauki un droshi
Kaitnieks Posted November 28, 2008 Report Posted November 28, 2008 Ja nopietni gribi pasargaaties no injekcijaam, sk. http://lv.php.net/manual/en/pdostatement.execute.php. Mees te gan PDO sakaraa nesen bijaam stipri viilushies, jo ar mssql tur bija nenormaalie gljuki, bet es pienjemu, ka prieksh mysql kaa populaaraakaas php sisteemu dbvs viss buus nosliipeets.
Recommended Posts