Gave that a whirl with col4=? and a bind parameter of "*" OR 1=1 for it and it returned no data. Pretty sure it takes the whole string as a search value for col4.
On Thu, Apr 7, 2016 at 7:19 PM Mark Wieder <mwie...@ahsoftware.net> wrote: > On 04/07/2016 06:41 PM, Peter Haworth wrote: > > Right, I think I have that covered since I prepare and bind the data in > > separate steps using the php functions for those purposes. > > > > So instead of assembling a SELECT statement like this: > > > > SELECT col1,col2,col3 FROM table WHERE col4='<data entered by user>' > > > > ... and then executing it directly, I prepare this statement: > > > > SELECT col1,col2,col3 FROM table WHERE col4=? > > > > ...and then bind the supplied user data to the ? placeholder. Any > injected > > data for the col4 value is treated as part of the value to be searched > for > > in col4 rather than an extension of the SELECT statement. > > ... WHERE col4='*' or 1=1; > > -- > Mark Wieder > ahsoftw...@gmail.com > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
