| Re: Help required with UPDATE columns [message #179544 is a reply to message #179543] |
Tue, 06 November 2012 18:13   |
Thomas 'PointedEars'
Messages: 701
Registered: October 2010
Karma:
|
Senior Member |
|
|
Shake wrote:
> El 06/11/2012 18:59, Thomas 'PointedEars' Lahn escribió:
>> Either one allows for SQL injection. The OP should read on Prepared
>> Statements (but at least mysql_real_escape_string()) instead.
> [...]
>> The parentheses are unnecessary and misleading. The names should be
>> backtick-quoted.
>>
>>> That's not a PHP problem. Is a SQL one.
>>
>> _MySQL_, and you do not appear to know either very well.
>
> I just signaled the main error. That's doesn't mean I don't know very
> well. And, the error, isn't _MySQL_ The error is in the SQL sentence.
> And this sentence is wrong in MySQL... and in others SQL-DBs.
You are mistaken. Whether the query is syntactically wrong in the DBMS
depends on the data type, the value of the variable (that we do not know, do
we?) and the query language.
The actual and much more grave issue here is that the OP is using user input
($_POST['…']) unchecked and unescaped, which allows for SQL injection. If
they fixed that with Prepared Statements, both problems would go away.
PointedEars
--
realism: HTML 4.01 Strict
evangelism: XHTML 1.0 Strict
madness: XHTML 1.1 as application/xhtml+xml
-- Bjoern Hoehrmann
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]