Yes, true. My mistake. Someone else also mentioned subqueries. Those could be a problem if your database supports it, too.
---John Holmes... > -----Original Message----- > From: Rick Emery [mailto:remery@;emeryloftus.com] > Sent: Friday, October 25, 2002 6:30 PM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] extract($_POST) > > > You assume mysql. > Other SQL databases allow multiple statements. > > > -----Original Message----- > > From: Rick Emery [mailto:remery@;emeryloftus.com] > > Sent: Friday, October 25, 2002 4:59 PM > > To: Chris Boget; [EMAIL PROTECTED]; Monty > > Subject: Re: [PHP] extract($_POST) > > > > Lets say you have a statement like: > > $query = "SELECT * FROM mytable WHERE firstname=$firstname"; > > > > And if $firstname is set to: > > "xyz"; DELETE FROM mytable > > > > Then this is executed as: SELECT* FROM mytable WHERE > > firstname="xyz";DELETE FROM mytable > > > > This can wipe out your table...a bad thing... > > > > ----- Original Message ----- > > From: "Chris Boget" <[EMAIL PROTECTED]> > > To: "Rick Emery" <[EMAIL PROTECTED]>; > <[EMAIL PROTECTED]>; > > "Monty" > > <[EMAIL PROTECTED]> > > Sent: Friday, October 25, 2002 3:41 PM > > Subject: Re: [PHP] extract($_POST) > > > > > > This thread has been great! I've learned so much useful stuff. > > > > > For instance, if you expect a variable called $firstname to contain > > > a name to be stored in a SQL database, be certain it does not > contain > > > SQL commands which can damage your database. > > > > This is another thing I'd be interested in hearing more about. If all > you > > are doing is storing and retrieving data, what commands could possibly > > be defined that could damage your database? > > > > $firstName = "Chris"; > > mysql_query( "INSERT INTO names ( first_name ) VALUES ( \"$firstName\" > )" > > ); > > $result = mysql_query( "SELECT first_name FROM names" ); > > while( $dataArray = mysql_fetch_assoc( $result )) { > > echo $dataArray["first_name"] > > > > } > > > > If $firstName was set by a form submission, what malicious SQL code > could > > damage your database? All you are doing is storing, retreiving and > > displaying > > data... > > > > Chris > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
