Subj : Re: Quick reminder..
To   : Spectre
From : apam
Date : Thu Sep 21 2023 12:58:23

 > Thanks. That appears to be similar to what I'm doing, other than it
 > shows a
 > predetermined list, not sure how it helps me.

My guess is you're making a query string by adding the form input to it.

something like 

$something = $_GET['something']

"SELECT stuff FROM table WHERE " . $something . " = 'something'"

That's bad and causes SQL injections because $something is not sanitized
first.

You want to do something like

$something = $_GET['something']

$stmt = "SELECT stuff FROM table WHERE ? = 'something'"
$stmt->bind_param("s", $something);

$stmt->execute();

by using the bind_param, it will sanitize $something, and you wont have
issues with apostrophes.

Andrew


--- Talisman v0.47-dev (Linux/riscv64)
 * Origin: Smuggler's Cove - Private BBS (21:1/182)

.