Posted by Rafe Culpin on 12/19/06 17:20

In article <nbydnaYXfJ8wkBXYnZ2dnUVZ_qfinZ2d@cablespeedmi.com>,
nobody@spamcop.net (bill) wrote:

> >> 1: Do I need to worry about SQL injection if I do not process the
> >> incoming free form data ?
> >
> > Why do you let the visitor fill in data if you do not process it?
>
> I guess I should be more clear. I save the data in a mysql
> database

In that case an injection attack might well be possible and must be
guarded against. The text passed to the database might include a string to
say "That's the end of the data to be stored, and now here's the command
to delete the database".

--
To reply email rafe, at the address cix co uk

[Back to original message]