Xephan,
That's senseless! You're implying I may "inject myself" along the code. The vars must be clean up on entry, as they will go to mysql more than once.
Like I said, while you would likely take note of these because of familiarity with the code, somebody else subsequently might make the mistake. Unless I'm mistaken about this going to be an opensource project? So the safest approach is always to assume that the data is unclean and cleanse it immediately before sending it to the db. Of course you could consider me being paranoid, as long as you don't mind the possibility of a "I told you so" in the future
Eg. upon register:
query 1: select * from users where user like '$user'
to check whether there's already one account registered with that username
later
select * from users where email like '$email'
to ensure unique emails... etc
As a general rule, I'd recommend always putting a "limit 1" behind such queries. So that even if somebody manages somehow to get passed the variable cleansing, the operation he might be attempting may in this way possibly be limited to one, or become an invalid query and so get stopped. Again, you may consider me paranoid
Now... for the question I put above. Any answer?
Unfortunately not, I haven't looked into the code yet.