On 15.05.2015 07:21, Karl DeSaulniers wrote:
On May 14, 2015, at 11:11 PM, Onatawahtaw <onatawah...@yahoo.ca> wrote:

Hi Karl,

If you look at the link you provided you'll notice that some of the code is for 
ASP.net and some is for PHP.

I have looked in the link. Most problems by inject an sql-Code is to add something in the where-clause let it end with a semicolon and add an additional sql-command behind the semicolon. In this case you have two SQL-Command. The first maybe a Select-Command and the next can be to drop a whole table with all its content.

One thing you can do is to trim the Select-Statement and trough all behind a semicolon in addition the semicolon away.

Another securitymethod of mysql that the fieldvarables are capseled by escaping. So mysql get note that this is a variable content for a formfield and should looked like that.


PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to