At 03:39 AM 12/21/2001 +0200, Bogdan Stancescu wrote:
>Two things I consider urban myths about PHP (plus MySQL) - please let me
>know what you think of these:
>1. The evil global variables
>My question to you guys is this: does anybody know of a real example of
>reasonably careful coding led to disaster with global variables?
I personally don't, but apparently the PHP developers think it's enough of
a risk that they've deprecated register_globals in 4.1.0...
>2. Please enter your age: 25; drop database mysql
>Does this actually work?
>So I decided I had to test this: I wrote the code exactly as in the
>example; I provided the exact dangerous input (well, to be honest, I
>tried a select instead of drop mysql). When I tried it, the presumably
>dangerous situation degraded into a trivial MySQL error. It went
>something like "You have an error near '; select 1+1'".
I've done something similar in the past just for kicks, and I got the same
result you did (i.e. an error). I believe this is because mysql_query()
expects ONE query at a time and will break if you send two or more. I
could be completely and totally wrong about that, though (someone please
correct me if I am)...
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]