On Wed, Apr 6, 2016 at 1:03 PM, Peter Haworth <p...@lcsql.com> wrote:
> Now you've got me worried! I had the impression that since the php scripts > run on my server and access the mySQL database on the same server, there > wouldn't be any sql injection issues, particularly since I never send any > SQL statements from my client app to the server. > In the middle of the text, a user puts something like '; || SELECT * FROM fizzbin ;DROP TABLE fizz bin; SELECT ' I've probably hacked up the syntax, and there might be an intermediate query needed to get the table name, but something like this grabs all your data and deletes it while you thought you were doing an INSERT or such. -- Dr. Richard E. Hawkins, Esq. (702) 508-8462 _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
