In our last episode, <47eb8019$0$14351$e4fe514c@news.xs4all.nl>, the lovely
and talented Erwin Moller broadcast on comp.lang.php:

> No matter if you are updating, or inserting, or selecting: You ALWAYS must
> prepare for the worst.

This is, of course, the right answer. The database can be attacked through
a query string that you intend for SELECT --- which if it worked as you
intended, would only obtain data from the database. But of course a
malicious value could turn your SELECT query into anything else, so you must
escape any value that could possibly be tainted --- and generally escaping
every value whatsoever is best.

--
Lars Eighner <http://larseighner.com/> usenet@larseighner.com
Countdown: 299 days to go.