In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] writes: > I agree and I am sorry I forgot a very basic security practice. You must > always check any input from a user. Make sure that the user gives you a > valid number and reject the request if it is anything out of your > acceptable range or datatype.
Not necessarily - most of these problems can be solved by the DBMS itself as long as you give it a chance to do so. In general DBMSs are smart enough to figure out that " WHERE id = '123'" really should be a numeric comparison. This means that you just need to transform your parameters to valid strings in order to be on the safe side. Simply surrounding them by single quotes is _not_ enough - you must also properly escape embedded single quotes. Most APIs are able to do that for you (e.g. Perl: $dbh->quote()). > Otherwise a "bad" user could compromise your > database or worse create havoc on your server. Yes. > hf0722x, what I was trying to help correct was a basic misunderstanding > of how to create dynamic SQL statements with PHP. Stuart is struggling to > understand 3 environments at once (MySQL, PHP, and Dreamweaver) and I > wasn't even thinking about input validation. I know that my remark (as opposed to yours) was not helpful regarding Stuart's actual problems, but precisely because he is a newbie he should not get accustomed to dangerous practices. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
