On Thu, Aug 27, 2009 at 04:38, Raheel Hassan<raheel.has...@gmail.com> wrote: > About quote(): > Many thanks for your reply, But what is the difference in; > select * from tablesname where x = ''; drop table tablename; --'; > and > select * from tablesname where x = '\'; drop table tablename; --'; > both the statements seems to be SQL injection attack. What is thet role > that quote played?? > > > Regards, > Raheel. snip
The first is an SQL injection attack. The database will see it as two statements and a comment: select * from tablesname where x = ''; drop table tablename; and --' The second is seen as one statement. The \ removes the special meaning of ', so it does not end the SQL string. This means you will search tablename for a row whose x field is "'; drop table tablename; --". Most likely there is no such row, but getting nothing back is much better than just dropping the table. -- Chas. Owens wonkden.net The most important skill a programmer can have is the ability to read. -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org For additional commands, e-mail: beginners-h...@perl.org http://learn.perl.org/
