[SOLVED] Using post value in a SQL statement

[boneXXX]

Hi all,

 

I want to use $_POST[something] value in a MYSQL statement. For Example:

 

SELECT * FROM Table WHERE TableName = $_POST[something]

 

Could you give me some advise please? Thanks

[zenag]

"SELECT * FROM Table WHERE TableName ='$_POST[something]'"

[boneXXX]

Thanks a lot it is worked

[haku]

You should be careful with that though - putting the value into your database without checking it first is very dangerous. People can inject code into your database that does nasty things. You should never put post data directly into the database.

[Xurion]

Could you give some examples of what a user would be able to do by injecting in this method?

[boneXXX]

Thank you for the advise Haku. Actually I didn't think about that, but the way I am using it is safe because I get the $_POST value from a drop down menu so there is no way to inject code into the system. 

 

You should be careful with that though - putting the value into your database without checking it first is very dangerous. People can inject code into your database that does nasty things. You should never put post data directly into the database.

[haku]

You would be mistaken in that assumption.