| Re: i getting this warning [message #176045 is a reply to message #176043] |
Mon, 21 November 2011 14:12  |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 11/21/2011 8:59 AM, Arno Welzel wrote:
> Jerry Stuckle, 2011-11-17 15:44:
>
>> On 11/17/2011 9:15 AM, Arno Welzel wrote:
>>> Jerry Stuckle, 2011-11-17 15:01:
>>>
>>>> On 11/17/2011 8:31 AM, Arno Welzel wrote:
>>>> > Denis McMahon, 2011-11-16 16:11:
>>>> >
>>>> >> On Wed, 16 Nov 2011 06:56:21 -0500, Jerry Stuckle wrote:
>>>> >>
>>>> >>> On 11/16/2011 6:17 AM, sri kanth wrote:
>>>> >>
>>>> >>>> $qs=$_REQUEST['id'];
>>>> >>>> $data=mysql_query("select * from tbl_porduct where pid=$qs");
>>>> >>
>>>> >>> Three things.
>>>> >>
>>>> >> You missed "using unescaped user input in a query with no validation or
>>>> >> verification". I know it's only a select, but would you bet that he's
>>>> >> that sloppy with selects and yet rigorous with data changing statements?
>>>> >
>>>> > It does not matter what statement there *is*. Using data from outside in
>>>> > this way makes *everything* possible - this is the typical mistake which
>>>> > makes SQL injection possible!
>>>> >
>>>> >
>>>> > Example:
>>>> >
>>>> > Lets assume $qs is "1;drop tlb_product".
>>>> >
>>>> > $data = mysql_query("select * from tbl_product where pid=$qs");
>>>> >
>>>> > The statement will be expanded to:
>>>> >
>>>> > "select * from tbl_product where pid=1;drop tbl_product"
>>>> >
>>>> > The result will be, that the table tbl_product will be dropped, if the
>>>> > MySQL user has the right to drop tables.
>>>> >
>>>> >
>>>> <snip>
>>>>
>>>> The statement will fail because mysql_query() will not execute multiple
>>>> statements in a single query.
>>>
>>> Generally and in this specific case you are right - but it is possible
>>> and you should never rely on this behaviour.
>>>
>>> See also:<http://php.net/manual/de/function.mysql-query.php>
>>>
>>>
>>
>> You are preaching to the choir here. I'm just pointing out the error in
>> your comments.
>
> And i already agreed with you. So what's your point?
>
> And just tried to explain why the assumption that using multiple queries
> is not a problem, since mysql_query() would fail anyway, may be wrong.
>
>> If you had been reading this newsgroup for the past 8 years or so, you
>> will find many of us (including Denis and myself) have long been
>> proponents of this.
>>
>> But you obviously failed to understand the discussion.
>
> Then ignore my statements.
>
>
No problem. Consider yourself ignorant.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]