Philip Olson wrote:
on the contrary: sql = mysql_query("select * from users where name='".$name."'");
will simply look for a user with a name of "Jim; delete from users;" and return no results found.
But I can also enter: jim'; delete from users
You need to catch if there's a quote in the $name too, and escape that.
One thing to remember is mysql_query() will execute just one (the first)
query so use of ; won't do anything in the above except break the
query.
One should note that this isn't always the case for other databases, though. You can execute more than one query at a time with SQLite, for example. MySQL 4.1 allows more than one query at a time if you open the connection with a certain flag (in the C API at least), yet for "security" reasons, this flag wasn't included in the MySQLi extension. There is a multi_query() function/method, though. Hopefully you know what you're doing if you decide to use that function/method, though.
PHP is a newbie friendly language
and newbies are for the most part clueless and don't know what strings or
integers are, or why data should be escaped, or what data validation is or
why it's important.
Yeah and we should turn register_globals back on by default, too!! ;)
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
