General Community > Scripting Help

[MySQL]What's wrong with this ?

<< < (2/2)

Saleh:

--- Quote from: Zef Hemel on August 06, 2003, 12:53:10 PM ---I hope you applied mysql_escape_string() to that $title2 POST field ;)

--- End quote ---
I didn't use that function .. but the script is working fine until now -at least- ..
I am using addslashes(); instead .. also trim() ..
so thet $title2 will be clean enough so not to confuse poor mysql ;D

Zef Hemel:
Confusing MySQL wasn't my primary concern, it was merely security I was worying about.

Saleh:
and how security can be harmed ?
I am asking because I am php green ;) and I want to learn more ..

Zef Hemel:
By using a ' in your form string you could break out of the SQL query, start a new one retrieving/inserting/deleting any data from the database you want. For example, let's say your variable $title2 has the value:
--- Code: ---something'; DELETE FROM books; SELECT * FROM books WHERE title LIKE '%bla
--- End code ---
This is what your query will become:


--- Code: ---SELECT title, bookID, authF, authL, price
FROM books
WHERE title LIKE '%something'; DELETE FROM books; SELECT * FROM books WHERE title LIKE '%bla%'
ORDER BY price;
--- End code ---
Result => Empty books table

[Unknown]:
PHP won't allow you to do two queries in one string, luckily enough, but it is still a problem.

-[Unknown]

Navigation

[0] Message Index

[*] Previous page