hi everyone I have this in my code : $username = $_post['username']; $query = "select username from users where username = '".$username."'"; PHP: i want to know that someone can inject sql command by means of(via) the $username? my focus is on single quotes. thank you in advance.
[nico_swd] I know php after a version execute mysql_real_escape_string() automatically. any thing else.
I think you got that wrong. Plus, what are you asking for exactly? Using mysql_real_escape_string() will make your query nearly 100% safe.