"Hartmut Holzgraefe" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Steven Brown wrote: > >>How is this a security hole? > > > > > > E.g., > > > > $id = "0; drop bar"; > > lamesql_query("select foo from bar where id = $id"); > > this is also possible with oracle, oci8 and other database extensions, > mysql ist the only one where i'm sure about that chaining is *not* > supported > > so the actual security hole is user code that puts *unverified* input > into SQL queries, so opening the door for SQL injection > > whether it makes sense to disable command chaining or at least make > it configurable with default 'off' in PHP database extensions is a > topic that may need further discussion (i know that Georg has similar > plans for mysqli in PHP 5), > but claiming that command chaining is a '*huge*' security hole per se > is not justified IMHO, this is more about how much protection against > "shoot yourself in the foot" incidents PHP should offer ... > the question is what is the common php programing habit. sinse there is no public recommendation on the manual (fix me here) or someware else, i assume thats the hebit is not always do verify the data and u can't blame the php users.
btw, i doubt if u want to publish here the db sechema and url to system running oracle in ur ownership ... moshe. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
