One thing that I do know is dangerous is deleting rows based on an
integer field with an unprocessed value;

Example: Delete row script

if($delete && $id){
        "delete from mytable where id = $id";


By simply appending an all inclusive sql clause.

$id = "21421 or 1 = 1";

Ca-Boom! The entire table has been deleted. Don't you feel dumb!

Instead process the input.
$id = abs($id);

-----Original Message-----
From: Bogdan Stancescu [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, December 20, 2001 5:40 PM
Subject: [PHP] Mommy, is it true that...?

2. Please enter your age: 25; drop database mysql

Does this actually work?

I've read at least a dozen articles telling people to get it in their
blood not to trust users and addslashes to any king incoming data, as
well as pass it as strings to mysql ("insert into person set age='$age'"
instead of "insert into person set age =$age).

So I decided I had to test this: I wrote the code exactly as in the
example; I provided the exact dangerous input (well, to be honest, I
tried a select instead of drop mysql). When I tried it, the presumably
dangerous situation degraded into a trivial MySQL error. It went
something like "You have an error near '; select 1+1'".

Did you ever actually try this? Does it work on your system?

Thanks in advance for the input!


PHP General Mailing List (
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to