srihari

can any body check the in which one of my above code best solves my specifications??

$name = mysql_real_escape_string('name) $query = "SELECT * FROM members WHERE firstname = '" . $name ."';" $result = mysql_query($query); whether this works out fine??? or please check the below code also?? <?php if (isset($_POST['first_name'])) { // Connect $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password'); if(!is_resource($link)) { echo "Failed to connect to the server\n"; // ... log the error properly } else { // Reverse magic_quotes_gpc/magic_quotes_sybase effects on those vars if ON. if(get_magic_quotes_gpc()) { $last_name = stripslashes($_POST['last_name']); } else { $last_name = $_POST['last_name']; } // Make a safe query $query = sprintf("SELECT * FROM `customers` WHERE `last_name` = '%s'", mysql_real_escape_string($last_name, $link); mysql_query($query, $link); if (mysql_affected_rows($link) > 0) { echo "Product inserted\n"; } } } else { echo "Fill the form properly\n"; } ?>

A source of potential problems is considered a dynamic web application is the "polution" of input with bad, if not downright malicious data. /* assumed $name is user data culled from a POSTed HTML form... */ $query = "SELECT * FROM members WHERE firstname = '" . $name ."';" $result = mysql_query($query); Can any one help me out?? How will i catch malformed (malicious?) POST/GET data in $name can any one suggest me the how to proceede with code can i have sample codes???