Help for this page
$sth = $dbh->prepare("INSERT INTO walstock (sid, name, qty) VALUES (?, +?,?)"); # ok, we have 3 placeholders, pass 3 params to the execute function. ... else { print "Didn't work, uncool, error is: $DBI::errstr"; }
# we expect $user_id to be a user_id, but we dont' check it. $dbh->prepare("DELETE FROM foo WHERE user_id=$user_id"); # looks good, except, the user submitted as the value for user_id: 10 +or 1=1 # so we end up with, "DELETE FROM foo WHERE user_id=10 or 1=1 # which in effect, deletes everything, because 1 always equals 1