Please read up on SQL injection attacks:

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

Most of the PHP code I see on this site for accessing MySQL is NOT secure at all.

Good information... Thanks for sharing it, jsebrech... :)

Yes thank you. I did not know this at all!

thanks for that. it's a lesson i definitely needed to learn!

Yeah, something I've got to read up on. Thanks jsebrech!

Ah yeah, fairly simple to escape everything on the head of your scripts.



foreach ($_POST as $sec)
{
if ((eregi("<[^>]*script*\"?[^>]*>", $sec)) || (eregi("<[^>]*style*\"?[^>]*>", $sec)))
{
die("Who do you allow posts styles?");
}
$sec=ltrim($sec);
$sec=rtrim($sec);
$sec=sanitize($sec);

}

function sanitize($input)
{
if(get_magic_quotes_gpc())
{
$input=stripslashes($input);
}
if(floatval (phpversion())>=4.3)
{
$output=mysql_real_escape_string($input);
}
else
{
die("Update php!");
}
return $output;
}

Just be clear though, using escaping is really not the "right" way to go about things, even if it is better than not doing any escaping. The right way is to use PDO instead of the raw mysql functions, and to use prepared statements with variable binding instead of concatenating variables into queries.

http://www.php.net/manual/en/pdo.prepared-statements.php

As a quick fix, escaping is a good way to get going, but for serious production use I would not encourage it as it is likely to lead to bugs.

Really usefull info jsebrech, Thank you for sharing it.