On Mar 11, 2005, at 3:30 AM, Kim Madsen wrote:
Or better: I put my query in a link like <a href="db.php?q=select+*+from+customers">show customers</a> and I´ve got NO clue about the settings in the mysql db, so this gets "funny"
<a href="db.php?q=delete+from+customers">show customers</a>
<a href="db.php?q=drop+table+customers">show customers</a>
Any application that trusts user input to this extent is in trouble from the start. Whether or not you have a database doesn't make a difference.
Consider:
<a href="script.php?shellcmd=rm+-rf+*">run command<a>
No database required, but I have now deleted everything that the web server process has rights to in the current directory. This of course assumes that script.php accepts shell commands and runs them unconditionally.
*whistle*
This _was_ an issue in a company I worked for, along with queries like:
Select blablabla FROM t1,t2,t3 WHERE customers LIKE '%$s%' OR name LIKE '%$s%' OR domain LIKE '%$s%' OR email LIKE '%$s%' OR log LIKE '%$s%' AND t1.id = t2.t1_id AND t1.id = t3.t1_id
Horror!
Perhaps I'm missing something, but what's wrong with that query? It looks like a pretty normal search query to me. If you need to search through a bunch of records for various text fragments, and you're not certain which field they're in, why *wouldn't* you use a query like this?
--
Kurt Yoder http://yoderhome.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
