You can still create a sub-query to do the damage. Jason
-----Original Message----- From: John W. Holmes [mailto:holmes072000@;charter.net] Sent: Friday, October 25, 2002 4:01 PM To: 'Rick Emery'; 'Chris Boget'; [EMAIL PROTECTED]; 'Monty' Subject: RE: [PHP] extract($_POST) No, this can't happen. There can only be one SQL query per mysql_query(). Google for SQL injection or something and I'm sure you'll find examples. ---John Holmes... > -----Original Message----- > From: Rick Emery [mailto:remery@;emeryloftus.com] > Sent: Friday, October 25, 2002 4:59 PM > To: Chris Boget; [EMAIL PROTECTED]; Monty > Subject: Re: [PHP] extract($_POST) > > Lets say you have a statement like: > $query = "SELECT * FROM mytable WHERE firstname=$firstname"; > > And if $firstname is set to: > "xyz"; DELETE FROM mytable > > Then this is executed as: SELECT* FROM mytable WHERE > firstname="xyz";DELETE FROM mytable > > This can wipe out your table...a bad thing... > > ----- Original Message ----- > From: "Chris Boget" <[EMAIL PROTECTED]> > To: "Rick Emery" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; > "Monty" > <[EMAIL PROTECTED]> > Sent: Friday, October 25, 2002 3:41 PM > Subject: Re: [PHP] extract($_POST) > > > This thread has been great! I've learned so much useful stuff. > > > For instance, if you expect a variable called $firstname to contain > > a name to be stored in a SQL database, be certain it does not contain > > SQL commands which can damage your database. > > This is another thing I'd be interested in hearing more about. If all you > are doing is storing and retrieving data, what commands could possibly > be defined that could damage your database? > > $firstName = "Chris"; > mysql_query( "INSERT INTO names ( first_name ) VALUES ( \"$firstName\" )" > ); > $result = mysql_query( "SELECT first_name FROM names" ); > while( $dataArray = mysql_fetch_assoc( $result )) { > echo $dataArray["first_name"] > > } > > If $firstName was set by a form submission, what malicious SQL code could > damage your database? All you are doing is storing, retreiving and > displaying > data... > > Chris > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
