|
|
Posted by Rob Wilkerson on 11/27/07 14:46
On Nov 25, 11:15 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>
> Hi, Rob,
>
> Sorry, mdb2 doesn't allow multiple queries in the same statement.
> Although it's annoying in your case, it can also be a safety valve.
>
> For instance, what happens if you have something like:
>
> "UPDATE TABLE1 SET a=3 where b=" . $_POST[invalue];
>
> And some hacker changes $_POST['invalue'] to be something like:
>
> "4; DELETE FROM TABLE1"
>
> The result would be:
>
> UPDATE TABLE1 SET a=3 WHERE b=4;DELETE FROM TABLEA
>
> Now I agree you should validate $_POST['invalue'] before using it, but
> you get the idea.
Ah, SQL injection. I hope I never have to count on my database
abstraction layer to protect me from such attacks, but I guess it's a
nice safety net. Maybe. :-)
Anyway, thanks for the input guys. It's not a huge deal, I was just
surprised that it wasn't possible so I thought I'd ask. I ended up
building my sql as before, but then exploding it and iterating over
the array of statements. Works just fine.
Thanks again.
Navigation:
[Reply to this message]
|