[nycphp-talk] JavaScript List?
Benjamin Stiglitz
ben at tanjero.com
Fri Jul 19 15:04:52 EDT 2002
On Friday, July 19, 2002, at 02:44 PM, Analysis & Solutions wrote:
> I'm not talking about putting in bogus data. I'm talking about totally
> screwing up the system. Let's say your intranet form updates the name
> of
> a user. The user input is used to create a query string:
>
> UPDATE Users SET Name='$Name' WHERE UserID=$UserID
>
> $UserID is usually a number. But, what if the system allows me to alter
> $UserID to be "3; DELETE FROM Users WHERE 1=1" If your db permits
> multiple queries in one request, then there goes all your data.
>
While I don't disagree with the post, I'd just like to point out the the
PHP MySQL functions (I don't know about other databases) will only
process the first SQL statement passed, preventing such exploits.
Thank you,
Benjamin Stiglitz
Tanjero
ben at tanjero.com
More information about the talk
mailing list