Of course you’ve heard of SQL injection attacks so, at the very least, run your title through mysqli_real_escape_string. I’d be picker than that but it’s a good place to start - after all, why would you allow ANYTHING other than letters and spaces? Okay, digits, too? You KNOW that 's are used in SQL injection but mysqli_real_escape_string will encode those (or change them to ' before submitting in a query).
If I knew the answers I wouldn’t be wasting my time here…
Of course you’ve heard of SQL injection attacks so, at the very least, run your title through mysqli_real_escape_string. I’d be picker than that but it’s a good place to start - after all, why would you allow ANYTHING other than letters and spaces? Okay, digits, too? You KNOW that 's are used in SQL injection but mysqli_real_escape_string will encode those (or change them to ' before submitting in a query).
Regards,
DK
I don’t understand what I’m supposed to do with mysqli_real_escape_string…