Lets say you have a statement like:
$query = "SELECT * FROM mytable WHERE firstname=$firstname";
And if $firstname is set to:
"xyz"; DELETE FROM mytable
Then this is executed as: SELECT* FROM mytable WHERE firstname="xyz";DELETE FROM
mytable
This can wipe out your table...a bad thing...
----- Original Message -----
From: "Chris Boget" <[EMAIL PROTECTED]>
To: "Rick Emery" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; "Monty"
<[EMAIL PROTECTED]>
Sent: Friday, October 25, 2002 3:41 PM
Subject: Re: [PHP] extract($_POST)
This thread has been great! I've learned so much useful stuff.
> For instance, if you expect a variable called $firstname to contain
> a name to be stored in a SQL database, be certain it does not contain
> SQL commands which can damage your database.
This is another thing I'd be interested in hearing more about. If all you
are doing is storing and retrieving data, what commands could possibly
be defined that could damage your database?
$firstName = "Chris";
mysql_query( "INSERT INTO names ( first_name ) VALUES ( \"$firstName\" )" );
$result = mysql_query( "SELECT first_name FROM names" );
while( $dataArray = mysql_fetch_assoc( $result )) {
echo $dataArray["first_name"]
}
If $firstName was set by a form submission, what malicious SQL code could
damage your database? All you are doing is storing, retreiving and displaying
data...
Chris
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
