FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » GUI designer in html
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: PS Re: GUI designer in html [message #182468 is a reply to message #182467] Mon, 05 August 2013 23:59 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 8/5/2013 7:32 PM, The Natural Philosopher wrote:
> On 05/08/13 23:55, Norman Peelman wrote:
>> On 08/05/2013 10:57 AM, Twayne wrote:
>>> On 2013-08-05 12:41 AM, J.O. Aho wrote:
>>>> On 05/08/13 02:59, Norman Peelman wrote:
>>>> > On 08/04/2013 01:09 PM, J.O. Aho wrote:
>>>>
>>>
>>> ....
>>>
>>>> >
>>>> > That's only if you go out of your way to enable multiple statements
>>>> > by using 'mysqli_multi_query()', which doesn't support prepared
>>>> > statements. By default mysqli_query() and mysqli_real_query() do not
>>>> > allow multiple queries separated by semi-colons.
>>>> >
>>>> > http://us2.php.net/manual/en/mysqli.quickstart.multiple-statement.php
>>>>
>>>> Unless something changed, mysqli_query supports multiple statements,
>>>> but
>>>> the return value do not support to give you the result from all the
>>>> queries, I think it returned the last one.
>>>>
>>>
>>> Quite correct and as the manual states;
>>
>> No.
>>
>>> "
>>> MySQL optionally allows having multiple statements in one statement
>>> string. Sending multiple statements at once reduces client-server round
>>> trips but requires special handling.
>>>
>>> Multiple statements or multi queries must be executed with
>>> mysqli_multi_query(). The individual statements of the statement string
>>> are separated by semicolon. Then, all result sets returned by the
>>> executed statements must be fetched.
>>>
>>> The MySQL server allows having statements that do return result sets and
>>> statements that do not return result sets in one multiple statement.
>>> "
>>>
>>
>> You need to scroll down to the middle of the page and read
>> *Security considerations* and *Example #2*.
>>
>>
> Furthermore the manual for mysql_query (as opposed to mysqli_query)
> actually states:
>
> "*mysql_query()* sends a unique query *(multiple queries are not
> supported)* to the currently active database on the server that's
> associated with the specified /|link_identifier|/. "
>
> so it would seem that this actual sql injection method is an urban myth.
>
> From PHP anyway.
>
> ISTR I actually tried it once to see if my code was robust. I failed to
> destroy the database or indeed any data, at all.
>

Incorrect (as usual).

It only means you can't run multiple SQL statements. But that is only
ONE method of SQL injection; it is quite possible to screw up a database
in a single SQL statement.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: GD Function help
Next Topic: Help with PHP BD imaging functionality
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Wed Nov 27 11:07:27 GMT 2024

Total time taken to generate the page: 0.07025 seconds