on 8/11/04 9:48 PM, Michael Stassen at [EMAIL PROTECTED] wrote:
> With parens:
>
> SELECT id, name FROM listmail
> WHERE date_time > DATE_SUB(NOW(), INTERVAL 30 DAY)
> AND (subject = 'semaphore'
> OR subject = 'Re: semaphore'
> OR subject = 'Re:semaphore')
> ORDER BY id ASC LIMIT 60
>
> Without parens:
>
> SELECT id, name FROM listmail
> WHERE date_time > DATE_SUB(NOW(), INTERVAL 30 DAY)
> AND subject IN ('semaphore', 'Re: semaphore', 'Re:semaphore')
> ORDER BY id ASC LIMIT 60
>
> These two are perfectly equivalent. The latter is, of course, the same
> query as in your post.
>
> Why do you expect these 2 queries to be different with respect to SQL
> injection? It seems to me you need to validate your input either way.
> Perhaps if you reminded us what language you're using, showed us the insert,
> and told us what you mean by making mysql "cranky", someone could help you
> solve that problem.
Thanks!
In regards to the injection, I was just having a hard time escaping the
strings as I wanted them to be, and MySql was not liking what I was up to..
IN "('dadas', 'wewew')"
IN "(\"dadas\", \"wewew\")"
Etc, etc, etc, you get the idea the path I was down :-)
I figured out to simply quote and escape each inner string finally. I think
I will stick with the IN style, since it is a little cleaner "looking", not
sure about performance.
I tend to not mention the language I am using since I am pretty sure I am
the only one on this list using it. It is called WebSiphon, it is a little
like php, a little like BASIC, a little like C, my favorite, but not well
known... Yet :-)
--
-------------------------------------------------------------
Scott Haneda Tel: 415.898.2602
http://www.newgeo.com Fax: 313.557.5052
[EMAIL PROTECTED] Novato, CA U.S.A.
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
