[thelist] PHP help required please

Andrew Forsberg andrew at thepander.co.nz
Mon Feb 4 13:19:00 CST 2002

>  >setcookie("LOGININFO", "$username");
>  >$sql = "INSERT INTO  '$LOGININFO' (prod_id,prod_name,prod_price) VALUES
>That's not nearly the best way to things, let alone dealing with the
>cookies. What if two people have the same usernames, or someone wants a
>username that's a reserved word in the databse system?


>dave'; drop database; insert into 'dave
>This would screw up your entire database. Very insecure, to insert stuff for
>SQL right from the client-side...

Very scary stuff indeed.

Even storing user names on the client's machine is far from ideal.
You might find, Dave, that if you do choose to use PHP's session
management functions that several of your troubles disappear. These
functions hide some of the complexities of cookie handling from your

Andrew Forsberg
uberNET - http://uber.net.nz/
the pander - http://thepander.co.nz/

More information about the thelist mailing list