It doesn't. What you're seeing is an SQL injection attack. If you *trust* the SQL code you allow from POST or GET requests, your SQL server will be own3d in due course.

That URL actually translates to 456456456 OR 1<>2

Which is always true. So If you use this verbatim, you'll get a true result (if you were using it as part of a login process, the user would be in without providing a login and password :-p )

I always, *always* apply $result=(integer) $_GET["uid"] to these strings : That way you are guaranteed it's a number not a string.

Cheers - Neil

From: "Dan Bowkley" <[EMAIL PROTECTED]>
Date: Sun, 9 May 2004 15:17:19 -0700
MIME-Version: 1.0
Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DB] supernoob strikes again

I thought "4" didn't equal "456456456%20%20OR%201<>2"

CaptionKit : Production tools
for accessible subtitled internet media, transcripts
and searchable video. Supports Real Player, Quicktime
and Windows Media Player.

VideoChat with friends online, get Freshly Toasted every
day at : NetMeeting solutions
for a connected world.

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to