on 8/11/04 9:48 PM, Michael Stassen at [EMAIL PROTECTED] wrote: > With parens: > > SELECT id, name FROM listmail > WHERE date_time > DATE_SUB(NOW(), INTERVAL 30 DAY) > AND (subject = 'semaphore' > OR subject = 'Re: semaphore' > OR subject = 'Re:semaphore') > ORDER BY id ASC LIMIT 60 > > Without parens: > > SELECT id, name FROM listmail > WHERE date_time > DATE_SUB(NOW(), INTERVAL 30 DAY) > AND subject IN ('semaphore', 'Re: semaphore', 'Re:semaphore') > ORDER BY id ASC LIMIT 60 > > These two are perfectly equivalent. The latter is, of course, the same > query as in your post. > > Why do you expect these 2 queries to be different with respect to SQL > injection? It seems to me you need to validate your input either way. > Perhaps if you reminded us what language you're using, showed us the insert, > and told us what you mean by making mysql "cranky", someone could help you > solve that problem.
Thanks! In regards to the injection, I was just having a hard time escaping the strings as I wanted them to be, and MySql was not liking what I was up to.. IN "('dadas', 'wewew')" IN "(\"dadas\", \"wewew\")" Etc, etc, etc, you get the idea the path I was down :-) I figured out to simply quote and escape each inner string finally. I think I will stick with the IN style, since it is a little cleaner "looking", not sure about performance. I tend to not mention the language I am using since I am pretty sure I am the only one on this list using it. It is called WebSiphon, it is a little like php, a little like BASIC, a little like C, my favorite, but not well known... Yet :-) -- ------------------------------------------------------------- Scott Haneda Tel: 415.898.2602 http://www.newgeo.com Fax: 313.557.5052 [EMAIL PROTECTED] Novato, CA U.S.A. -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]