| Re: i getting this warning [message #176026 is a reply to message #176025] |
Thu, 17 November 2011 14:44   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 11/17/2011 9:15 AM, Arno Welzel wrote:
> Jerry Stuckle, 2011-11-17 15:01:
>
>> On 11/17/2011 8:31 AM, Arno Welzel wrote:
>>> Denis McMahon, 2011-11-16 16:11:
>>>
>>>> On Wed, 16 Nov 2011 06:56:21 -0500, Jerry Stuckle wrote:
>>>>
>>>> > On 11/16/2011 6:17 AM, sri kanth wrote:
>>>>
>>>> >> $qs=$_REQUEST['id'];
>>>> >> $data=mysql_query("select * from tbl_porduct where pid=$qs");
>>>>
>>>> > Three things.
>>>>
>>>> You missed "using unescaped user input in a query with no validation or
>>>> verification". I know it's only a select, but would you bet that he's
>>>> that sloppy with selects and yet rigorous with data changing statements?
>>>
>>> It does not matter what statement there *is*. Using data from outside in
>>> this way makes *everything* possible - this is the typical mistake which
>>> makes SQL injection possible!
>>>
>>>
>>> Example:
>>>
>>> Lets assume $qs is "1;drop tlb_product".
>>>
>>> $data = mysql_query("select * from tbl_product where pid=$qs");
>>>
>>> The statement will be expanded to:
>>>
>>> "select * from tbl_product where pid=1;drop tbl_product"
>>>
>>> The result will be, that the table tbl_product will be dropped, if the
>>> MySQL user has the right to drop tables.
>>>
>>>
>> <snip>
>>
>> The statement will fail because mysql_query() will not execute multiple
>> statements in a single query.
>
> Generally and in this specific case you are right - but it is possible
> and you should never rely on this behaviour.
>
> See also:<http://php.net/manual/de/function.mysql-query.php>
>
>
You are preaching to the choir here. I'm just pointing out the error in
your comments.
If you had been reading this newsgroup for the past 8 years or so, you
will find many of us (including Denis and myself) have long been
proponents of this.
But you obviously failed to understand the discussion.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]