on 5/26/02 12:47 PM, Dave Carrera at [EMAIL PROTECTED] appended the
following bits to my mbox:

> All you need to do is create an array from your sql like this:
> 1st place your dumped sql statement into a varibale.
> 2nd create an array from your sql like this
> if(isset($your_execution_var))
> {
> $array = explode( ';', $sqlvar );
> foreach( $array as $value )
> {


I don't know how you intend to use this code, private or public, development
or production, but I just wanted to add this warning...

This type of solution could lead to SQL injection problems if user input
isn't properly checked.  One nice security aspect of PHP and MySQL is that
it *doesn't* support multiple queries with semicolons.  Because of this, it
isn't vulnerable to the myriad multiple query SQL injection attacks.  For
example, if you have a variable $somedata which is updated like this:

UPDATE tablename SET somefield="' . $somedata . '"

Without the use of proper taint checking, a user could change that by
setting the $somedata variable to --somedata"; delete from tablename-- and
thereby issue a query to delete your table's entire contents.

Usually, with PHP and MySQL such a query would fail.  If you use the above
code, it would succeed.

Just a word of warning.


Paul Burney


// the statement formerly known as prince
if ($the_elevator == 'tries to bring you down') {
    go_crazy('punch a higher floor');


PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to