Just a note to tell people to look for the use of something like...
$sql .= "and fieldname = '" . addslashes($fieldvalue) . "'";
Of course this can depend on whether or not slashes are added automatically... but if they are, then they mess up on page displays, perhaps doubling up on form redisplay, and may be stripped out anyway (if the feature isn't turned off entirely on your server).
A lot of amateur code contains almost zero protection against SQL shenanigans or field values not constrained by use of a browser form to generate GET/POST values.
|