On 04/07/2016 06:41 PM, Peter Haworth wrote:
Right, I think I have that covered since I prepare and bind the data in
separate steps using the php functions for those purposes.
So instead of assembling a SELECT statement like this:
SELECT col1,col2,col3 FROM table WHERE col4='<data entered by user>'
... and then executing it directly, I prepare this statement:
SELECT col1,col2,col3 FROM table WHERE col4=?
...and then bind the supplied user data to the ? placeholder. Any injected
data for the col4 value is treated as part of the value to be searched for
in col4 rather than an extension of the SELECT statement.
... WHERE col4='*' or 1=1;
--
Mark Wieder
ahsoftw...@gmail.com
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
