17 Oct
2008
17 Oct
'08
9:08 p.m.
gnul wrote:
$sql = "update contacts set firstname = 'test's' where contact_id=?"; $sql_result = $RCMAIL->db->query($sql,'91');
The above SQL is not using prepared statements correctly. Every parameter in a query that may be user-defined should use the "?".
Thank you for pointing that out. My example is modeled after what's really going on in rcube_contacts::update() _______________________________________________ List info: http://lists.roundcube.net/dev/