Hi!

Its been possible to do the following via the protocol:

select 1; select 1;

And send them in the same packet. What is the problem?

SQL injection.

It makes it really simple for someone to pack in a new SQL statement by accident.

I am thinking we should header the protocol so that each statement is in its own envelope. You can still send multiple SQL statements in the same packet, but not via a simple delimiter.

And while we are at it remove the delimiter command and make sure all of its logic is in the client, not the server.

Cheers,
        -Brian
--
_______________________________________________________
Brian "Krow" Aker, brian at tangent.org
Seattle, Washington
http://krow.net/                     <-- Me
http://tangent.org/                <-- Software
_______________________________________________________
You can't grep a dead tree.




_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help   : https://help.launchpad.net/ListHelp

Reply via email to