How can they possible do it with a code like
$name = $form->param('name');
$city = $form->param('city');
$sql_data = "id = '$id'";
if($name ne '') {
$sql_data .= " AND name = '$name'";
}
if($city ne '') {
$sql_data .= " AND city = '$city'";
}
# and so on
$sql = "SELECT * FROM users WHERE $sql_data ORDER BY name";
i think if they increse a ; into 1 of that value they would be disconsider as command.
wont it ?
$name = $form->param('name');
$city = $form->param('city');
$sql_data = "id = '$id'";
if($name ne '') {
$sql_data .= " AND name = '$name'";
}
if($city ne '') {
$sql_data .= " AND city = '$city'";
}
# and so on
$sql = "SELECT * FROM users WHERE $sql_data ORDER BY name";
i think if they increse a ; into 1 of that value they would be disconsider as command.
wont it ?