| Re: i getting this warning [message #176043 is a reply to message #176026] |
Mon, 21 November 2011 13:59   |
Arno Welzel
Messages: 317
Registered: October 2011
Karma:
|
Senior Member |
|
|
Jerry Stuckle, 2011-11-17 15:44:
> On 11/17/2011 9:15 AM, Arno Welzel wrote:
>> Jerry Stuckle, 2011-11-17 15:01:
>>
>>> On 11/17/2011 8:31 AM, Arno Welzel wrote:
>>>> Denis McMahon, 2011-11-16 16:11:
>>>>
>>>> > On Wed, 16 Nov 2011 06:56:21 -0500, Jerry Stuckle wrote:
>>>> >
>>>> >> On 11/16/2011 6:17 AM, sri kanth wrote:
>>>> >
>>>> >>> $qs=$_REQUEST['id'];
>>>> >>> $data=mysql_query("select * from tbl_porduct where pid=$qs");
>>>> >
>>>> >> Three things.
>>>> >
>>>> > You missed "using unescaped user input in a query with no validation or
>>>> > verification". I know it's only a select, but would you bet that he's
>>>> > that sloppy with selects and yet rigorous with data changing statements?
>>>>
>>>> It does not matter what statement there *is*. Using data from outside in
>>>> this way makes *everything* possible - this is the typical mistake which
>>>> makes SQL injection possible!
>>>>
>>>>
>>>> Example:
>>>>
>>>> Lets assume $qs is "1;drop tlb_product".
>>>>
>>>> $data = mysql_query("select * from tbl_product where pid=$qs");
>>>>
>>>> The statement will be expanded to:
>>>>
>>>> "select * from tbl_product where pid=1;drop tbl_product"
>>>>
>>>> The result will be, that the table tbl_product will be dropped, if the
>>>> MySQL user has the right to drop tables.
>>>>
>>>>
>>> <snip>
>>>
>>> The statement will fail because mysql_query() will not execute multiple
>>> statements in a single query.
>>
>> Generally and in this specific case you are right - but it is possible
>> and you should never rely on this behaviour.
>>
>> See also:<http://php.net/manual/de/function.mysql-query.php>
>>
>>
>
> You are preaching to the choir here. I'm just pointing out the error in
> your comments.
And i already agreed with you. So what's your point?
And just tried to explain why the assumption that using multiple queries
is not a problem, since mysql_query() would fail anyway, may be wrong.
> If you had been reading this newsgroup for the past 8 years or so, you
> will find many of us (including Denis and myself) have long been
> proponents of this.
>
> But you obviously failed to understand the discussion.
Then ignore my statements.
--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]