Right, I think I have that covered since I prepare and bind the data in separate steps using the php functions for those purposes.
So instead of assembling a SELECT statement like this: SELECT col1,col2,col3 FROM table WHERE col4='<data entered by user>' ... and then executing it directly, I prepare this statement: SELECT col1,col2,col3 FROM table WHERE col4=? ...and then bind the supplied user data to the ? placeholder. Any injected data for the col4 value is treated as part of the value to be searched for in col4 rather than an extension of the SELECT statement. That's why is it is so important to use the variableslist parameter of the LC DB functions if you are connecting directly to a database server. At least I think that's how it works.... On Thu, Apr 7, 2016 at 4:31 PM Dr. Hawkins <doch...@gmail.com> wrote: > On Wed, Apr 6, 2016 at 1:03 PM, Peter Haworth <p...@lcsql.com> wrote: > > > Now you've got me worried! I had the impression that since the php > scripts > > run on my server and access the mySQL database on the same server, there > > wouldn't be any sql injection issues, particularly since I never send any > > SQL statements from my client app to the server. > > > > In the middle of the text, a user puts something like > > '; || SELECT * FROM fizzbin ;DROP TABLE fizz bin; SELECT ' > > > I've probably hacked up the syntax, and there might be an intermediate > query needed to get the table name, but something like this grabs all your > data and deletes it while you thought you were doing an INSERT or such. > -- > Dr. Richard E. Hawkins, Esq. > (702) 508-8462 > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
