5 Jan
2005
5 Jan
'05
5:21 p.m.
Tobias Burnus wrote:
Hello,
$result = mysql_query("INSERT INTO user_list VALUES ( NOW(), 0, ". "'$username', password('$password'), ". - "'$realname', '$email', NOW(), 0, 0)"); + "'$realname', '$email', NOW(), 0, 0, '$CVSrelease')");
Shouldn't one use "'".mysql_escape_string($username)."','" etc.? Or is it ensured elsewhere that no unwanted characters are in the string? ( ' is escaped in PHP, isn't it?)
Tobias
This is a not a security patch...