Posted by bill on 12/19/06 18:53

Rafe Culpin wrote:
> In article <nbydnaYXfJ8wkBXYnZ2dnUVZ_qfinZ2d@cablespeedmi.com>,
> nobody@spamcop.net (bill) wrote:
>
>>>> 1: Do I need to worry about SQL injection if I do not process the
>>>> incoming free form data ?
>>> Why do you let the visitor fill in data if you do not process it?
>> I guess I should be more clear. I save the data in a mysql
>> database
>
> In that case an injection attack might well be possible and must be
> guarded against. The text passed to the database might include a string to
> say "That's the end of the data to be stored, and now here's the command
> to delete the database".
>
Ok, thank you.
I will sanitize the data.
bill

[Back to original message]