The other day it occurred to me that if you have an SQL statement like this:
- Code: Select all
SELECT * from some_table ORDER BY 1 LIMIT $var,10
that essentially you won't have to protect the $var input, at all.. I tried some different things on my server: a UNION won't work because there's already an ORDER clause, and .. well.. there's really nothing else you could do.
Do you agree ?