Re: [PHP] SQL syntax error in PHP script. dunno what's wrong

Thu, 02 Aug 2001 08:18:15 -0700 

hmmm, i am seeing the same thing as tim here. are we doing something wrong?
i created a test table, entered some dummy data and then using scott's
example of "'; DELETE FROM seminar; " i tried executing

  insert into test values (0,''; DELETE FROM test; ',1);

and got this error

 ERROR 1064: You have an error in your SQL syntax near '' at line 1

trying other variations either caused similar errors or added rows to my
table.

is it possible to sneak in a command in this manner?

mike

on 8/2/01 2:39 AM, Tim Ward at [EMAIL PROTECTED] wrote:

> I'd always understood that mysql doesn't allow multiple statements to be
> submitted so this post obviously worried me. I did some tests and confirmed
> that this is not a problem in MySQL queries from PHP. If I'm wrong about
> this please let me know.
> 
> Tim
> 
> ----------
> From:  scott [gts] [SMTP:[EMAIL PROTECTED]]
> Sent:  01 August 2001 18:03
> To:  php
> Subject:  RE: [PHP] SQL syntax error in PHP script.  dunno what's
> wrong 
> 
> no offense to you sam, but please dont ever simply place
> single quotes around values.  you have to escape the values
> *themselves*.
> 
> what if someone submitted the form field title as:
> $title = "'; DELETE FROM seminar; "
> 
> if you didn't escape the single quotes in there, it
> would get interpreted as a valid DELETE statement
> and your seminar table would get wiped.
> 
> however, if you escaped $title, you'd end up setting
> title to "\'; DELETE FROM SEMINAR; "
> (rather than have the contents of $title interpreted
> as SQL commands)
> 
>> -----Original Message-----
>> From: Sam Masiello [mailto:[EMAIL PROTECTED]]
>> Subject: RE: [PHP] SQL syntax error in PHP script. dunno what's
> wrong 
>> 
>> 
>> You will need to put single quotes around your variables in your
> SQL
>> statement.  Like this:
>> 
>> $sql = "UPDATE TABLE seminar SET
>> 
> title='$title',speaker='$speaker',event_date='$tdate',time='$time',bldg='$bu
>> ilding'
>> ,rm='$room'  WHERE id='$id'";
>> 
>> Without the quotes, SQL doesn't know that Something Amazing is
> supposed to
>> go together in the same string.
>> 
>> HTH
> 


-- mike cullerton



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to