Philip Olson wrote:
on the contrary:
sql = mysql_query("select * from users where name='".$name."'");
will simply look for a user with a name of "Jim; delete from users;" and
return no results found.
But I can also enter:
jim'; delete from users
You need to catch if there's a quote in the $name too
> In article <[EMAIL PROTECTED]>,
> Philip Olson wrote:
>> One thing to remember is mysql_query() will execute just one (the first)
>> query so use of ; won't do anything in the above except break the
>> query.
>
> If i'm not mistaken, newer versions of mysql do allow multiple queries.
I've heard
In article <[EMAIL PROTECTED]>, Philip Olson wrote:
> One thing to remember is mysql_query() will execute just one (the first)
> query so use of ; won't do anything in the above except break the
> query.
If i'm not mistaken, newer versions of mysql do allow multiple queries.
> (once) and put s
> > on the contrary:
> > sql = mysql_query("select * from users where name='".$name."'");
> >
> > will simply look for a user with a name of "Jim; delete from users;" and
> > return no results found.
>
> But I can also enter:
> jim'; delete from users
>
> You need to catch if there's a quote in
On Wednesday 07 July 2004 12:05, Keith Greene wrote:
> on the contrary:
> sql = mysql_query("select * from users where name='".$name."'");
>
> will simply look for a user with a name of "Jim; delete from users;" and
> return no results found.
But I can also enter:
jim'; delete from users
You nee
On Thursday 08 July 2004 00:05, Keith Greene wrote:
Here's a simple (and probably quite common) example of how not checking user
input will lead to disaster:
DELETE FROM users WHERE userid = $userid
userid is an integer column. If you didn't check your inputs and someone
injected
$userid
Matthew Sims wrote:
I think a good programming habit it to treat it as if it were off.
With regards to magic_quotes_gpc, you can't just "treat it as if it were
off" otherwise you may end up escaping data twice if it's not really off
on a server that runs your code. Detect it's value with
get_mag
Justin Patrin wrote:
On Wed, 7 Jul 2004 10:31:17 -0700, Brian Dunning <[EMAIL PROTECTED]> wrote:
The PHP directive magic_quotes_gpc is on by default, and it
essentially runs addslashes() on all GET, POST, and COOKIE data.
Why doesn't this automatically prevent injections, since it escapes out
an
Brian Dunning wrote:
I have a question about this. Here is from the documentation:
The PHP directive magic_quotes_gpc is on by default, and it
essentially runs addslashes() on all GET, POST, and COOKIE data.
Why doesn't this automatically prevent injections, since it escapes out
any single qu
> On Wed, 7 Jul 2004 10:31:17 -0700, Brian Dunning <[EMAIL PROTECTED]>
> wrote:
>> I have a question about this. Here is from the documentation:
>>
>> The PHP directive magic_quotes_gpc is on by default, and it
>> essentially runs addslashes() on all GET, POST, and COOKIE data.
>>
>> Why doesn'
On Wed, 7 Jul 2004 10:31:17 -0700, Brian Dunning <[EMAIL PROTECTED]> wrote:
> I have a question about this. Here is from the documentation:
>
> The PHP directive magic_quotes_gpc is on by default, and it
> essentially runs addslashes() on all GET, POST, and COOKIE data.
>
> Why doesn't this a
It may escape a quote, but injections would still be possible in other ways.
It gets passed in as \' but then used normally as ' when it's the the variable.
-Josh
On Wed, 7 Jul 2004 10:31:17 -0700, Brian Dunning <[EMAIL PROTECTED]> wrote:
> I have a question about this. Here is from the document
I have a question about this. Here is from the documentation:
The PHP directive magic_quotes_gpc is on by default, and it
essentially runs addslashes() on all GET, POST, and COOKIE data.
Why doesn't this automatically prevent injections, since it escapes out
any single quotes they try to subm
> SELECT autoQuesID, fldQuesTitle, fldBody FROM tblFAQ_Question WHERE
> (blnHidden = FALSE AND ((fldBody LIKE '%$strCriteria%') OR (fldQuesTitle
> LIKE '%$strCriteria%')));
Say $strCriteria comes from one of the values in the $_REQUEST array,
a user change is coming through in that variable. so
For example, if you are not quoting your criteria:
sql = mysql_query("select * from users where name=".$name);
if someone enters the following in the name field, you're toast:
"Jim; delete from users;"
on the contrary:
sql = mysql_query("select * from users where name='".$name."'");
will simply loo
[snip]
Can someone help me understand how people are able to use SQL
maliciously if you don't protect against it in PHP?
[/snip]
This is a complex subject, but let us say that you didn't do checking at
all, someone might be able to pass a delete statement in a form box like
"DELETE FROM `table` WH
16 matches
Mail list logo
