As long as you put it only into a query, it's fine because the only danger you have with a string in a query are control chars and quotes.
However, don't ever put this poorly sanitized string into an eval, otherwise you get hacked. Because then there is much more sanitizing necessary than only for queries.
open the includes/class_core.php search for the gpc class and see for yourself what gets masked and how the string gets sanitized so that you KNOW what happens.
|