>From what I understand, it's all queries that need this protection, not just INSERT/UPDATE.
One example that Brian Dailey gave was with your original query $query = "SELECT * FROM `jobsdb` WHERE `id` =".$_POST['id'].""; Someone could supply in $_POST['id']: 1; DROP `jobsdb`; This could easily be transferred to: SELECT * FROM `jobsdb` WHERE `id` = ".$_POST['id'].""; and $_POST['id'] could still contain 1; DROP `jobsdb` thus the full query would result in SELECT * FROM `jobsdb` WHERE `id`=1; DROP `jobsdb` This is my understanding however, and I could be wrong. Any clarification on the subject would be nice. On 8/15/07, Anthony Wlodarski <[EMAIL PROTECTED]> wrote: > > I ran a test (just added a SQL command, harmless one in a text field) to > see > what happens on SQL injection, without proper slashing or escaping > (addslashes/mysql_real_escape_string). I like mysql_real... cause it > takes > the guess work out of making the data safe. Thanks everyone for the brief > lesson on the dangers of this (now I get to go back to all my > INSERT/UPDATE > queries and add this functionality, better safe than sorry). > > Anthony Wlodarski > Senior Technical Recruiter > Shulman Fleming & Partners > 646-285-0500 x230 > [EMAIL PROTECTED] > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On > Behalf Of Ben Sgro (ProjectSkyLine) > Sent: Tuesday, August 14, 2007 9:15 PM > To: NYPHP Talk > Subject: Re: [nyphp-talk] Is there something wrong with this SQL query in > PHP? > > heh, > > Yeah I guess. They weren't validating the users input. = ] > > - Ben > > Ben Sgro, Chief Engineer > ProjectSkyLine - Defining New Horizons > > ----- Original Message ----- > From: "John Campbell" <[EMAIL PROTECTED]> > To: "NYPHP Talk" <talk@lists.nyphp.org> > Sent: Tuesday, August 14, 2007 8:31 PM > Subject: Re: [nyphp-talk] Is there something wrong with this SQL query in > PHP? > > > >> They had the exact same problems w/XSS, no input validation. > > > > Input validation? Don't you mean output escaping? You must not allow > > uber leet usernames like |<33|>. :) > > > > -john cambpell > > _______________________________________________ > > New York PHP Community Talk Mailing List > > http://lists.nyphp.org/mailman/listinfo/talk > > > > NYPHPCon 2006 Presentations Online > > http://www.nyphpcon.com > > > > Show Your Participation in New York PHP > > http://www.nyphp.org/show_participation.php > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > > > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > -- Brian O'Connor
_______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
