On Sun, 04 May 2008 21:31:03 -0400, Jerry Stuckle
<jstucklex@attglobal.net> wrote:

>Impossible to tell from what you have. But it looks like you have done
>absolutely no validation of the input data. The result can be a
>complete destruction of your database - or worse. Google for "SQL
>injection.

Jerry,

where the user is typing a number into a box

var number_check = number_given;
if ( (number_check >7) || (number_check < 1) ) {
alert("The number must be in the range 1 to 7!");
} else
if (isNaN(number_check)) {
alert("Please enter a valid number");
} else {
sendGroup1Lab1(number_check);
}


I have changed (***) the php to

$result1 = $_GET['answer1'];
$result2 = $_GET['answer2'];
$result3 = $_GET['answer3'];
$result4 = $_GET['answer4'];

mysql_connect($conf['sql']['host'], $conf['sql']['user'],
$conf['sql']['pass']) or die(mysql_error());
mysql_select_db($conf['sql']['db']) or die(mysql_error());

$result4 = mysql_real_escape_string($_GET['favorite']); ***

mysql_query("INSERT INTO mytable (answer1,answer2,answer3,answer4)
VALUES ('$result1','$result2','$result3','$result4')");

I see that mysql_real_escape_string can only be used after connecting
to the database?

Is the above safer?

Cheers

Geoff