Posted by "Richard Lynch" on 10/29/05 22:48

On Sat, October 29, 2005 4:45 am, Bogdan Ribic wrote:
>> $value1 = 'xyz","xyz"); DELETE FROM MYTABLE;';
>>
>> you might get surprising results!
>>
>> This is called SQL injection and it's important to escape all the
>> values
>> before putting them into the statement.
>
>
> Did you try that? This doesn't work on my machine:
>
> mysql_query("DELETE FROM mytable; DELETE FROM mytable;");
>
> ie, mysql extension won't let me do more than one statement at a time.

PHP MySQL has not allowed multiple statements per query for awhile, I
think.

I also think it's possible to change that, or that it might change in
the future.

Regardless of all that, the general principle remains sound.

Even if the one specific example does not work, that doesn't mean that
there aren't a few billion that WILL work to compromise your site.

http://phpsec.org


--
Like Music?
http://l-i-e.com/artists.htm

• Next in forum: Re: [PHP] Type of form element
• Prev in forum: Re: [PHP] [DONE] Substr by words
• Thread view: Re: [PHP] Re: Inserting NULL Integer Values

[Reply to this message]