Quote:
Originally Posted by Ketchup
Code:
if(isset($_POST['search']))
{
$searchs = array();
if(!empty($_POST['contactname']))
{
$searchs[]="contactname LIKE '%".$_POST['contactname']."%'";
}
|
It looks like your search is probably vulnerable to SQL injections. Are you sanitizing the $_POST at all before this code even runs? If you aren't you could be in for a world of hurt, and you've just let the world know your page is vulnerable to injections.
Check out this StackOverflow post for more on SQL injection attacks:
stackoverflow dot com/questions/60174/best-way-to-prevent-sql-injection
-st