D Dave New member Jun 4, 2009 #1 if(@mysql_result(@mysql_query("SELECT * FROM `master` WHERE `numer` LIKE '$_GET[number]' LIMIT 0 , 5 "),0,"email") !="") is it prone to sql injection???
if(@mysql_result(@mysql_query("SELECT * FROM `master` WHERE `numer` LIKE '$_GET[number]' LIMIT 0 , 5 "),0,"email") !="") is it prone to sql injection???
B Blackcompe New member Jun 4, 2009 #2 If I enter %'# into your form, the query would turn into: SELECT * FROM `master` WHERE `numer` LIKE '%' That may return all the records in your table. Try it. The pound symbol indicates a SQL comment, so any syntax after it will become a comment.
If I enter %'# into your form, the query would turn into: SELECT * FROM `master` WHERE `numer` LIKE '%' That may return all the records in your table. Try it. The pound symbol indicates a SQL comment, so any syntax after it will become a comment.
