The Natural Philosopher wrote:

> Andy Burns wrote:
>
>> The Natural Philosopher wrote:
>>
>>>      $query = "insert into data set";
>>>      $flag=0;
>>>      foreach($fields as $name) //read variables and add to query
>>>          {
>>>          if($flag) $query .=',';
>>>          if(isset($_GET[$name]))
>>>              $query.= sprintf(" %s='%s'",$name,$_POST[$name]);
>>>          else
>>>              $query.= sprintf(" %s='%s'",$name,"");
>>>          $flag++;
>>>          }
>>
>> 
>
> funny, but obviously you don't understand sql

I don't claim to specialize in SQL, but I've done my share, however it's
your bugs being discussed not mine.

> as the sample code specifically cannot do that kind of thing.

Can I smuggle a single-quote and a semicolon into the  $_POST[] array,
so that you concatenate it onto your query string thinking it's merely a
value?  Yes I can.

> That is the reason why the SQL command is not passed.
> And it is the reason why all the arguments are 'quoted'.

If you think those mitigate SQL injection attacks you are badly
mistaken.  Your code could use a fixed query string referencing
@variables which are initialised with the values passed.

--- SoupGate-Win32 v1.05