Vic wrote:
>> So as you can see there is never any user input to worry too much about
>
> *Yet*.
>
> The trouble with knock-up applications is that they invariably creep; n
> years from now, there might well be a way for user-entered stuff to get
> into the SQL stream. That's when gnarly injection problems crawl out of
> the woodwork, and your name is instantly mud...
>
> Sanitising input really isn't onerous - it's less work than writing the
> email to tell us why you don't think you need to - and it will defend your
> code against whatever Management might want to do with it in the future...
>
> Vic.
>
>
Very true :-)
I've done this for the script now
$insert_query = sprintf("INSERT INTO stream (channel, starttime, title, description, genre,
filename) VALUES ('%s','%s','%s','%s','%s','%s')",
mysql_real_escape_string($channel),
mysql_real_escape_string($starttime),
mysql_real_escape_string($title),
mysql_real_escape_string($description),
mysql_real_escape_string($genre),
mysql_real_escape_string($filename));
Brian
------------------------------------------------------------------------------------------------
The views expressed here are my own and not necessarily
the views of Portsmouth College
