Or even worse: SELECT content FROM data WHERE user=<actualuserid>;DROP TABLE data
On Thu, Aug 13, 2015 at 10:50 AM Mark Waddingham <m...@livecode.com> wrote: > > Here the input field is not being validated in anyway, nor is the value > being escaped. This means that I am then free (as a user of the client) > to put anything I want into that field. Imagine I put the following into > the field: > 1 OR user=1 AND id=2 > > The query the client ends up sending to the DB is: > SELECT content FROM data WHERE user=<actualuserid> AND id=1 OR user=1 > AND is=2 > > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode