On Wed, 2011-03-30 at 11:39 -0500, Brian Moon wrote: > > 3. Make the PHP module use the SELECT EXECUTE() syntax with user vars > > for prepared statements. I'm not sure if you can inject using that, will > > have to play, if you can it shouldn't be too hard to make a safer > > version of it. > > I don't know this syntax. link?
http://docs.drizzle.org/dynamic.html?highlight=execute Although that doesn't cover everything you can do. For example you can do: set @my_query='SELECT * FROM t1 WHERE a=@var'; set @var=2; execute @my_query; Kind Regards -- Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/ _______________________________________________ Mailing list: https://launchpad.net/~drizzle-discuss Post to : [email protected] Unsubscribe : https://launchpad.net/~drizzle-discuss More help : https://help.launchpad.net/ListHelp
