In article <[EMAIL PROTECTED]>,
Stuart Felenstein <[EMAIL PROTECTED]> writes:
> Not sure exactly what you mean by a SQL injection
> attack. I'm thinking a string could be input as
> opposed to an integer ?
Exactly - especially an SQL string.
> The form itself constricts user to a set of choices.
This won't help at all. An attacker can construct a query with
arbitrary form values.
Never put unchecked/unquoted strings into an SQL query. I dunno PHP,
but in Perl one would use something like
my $sth = $dbh->prepare ("
SELECT whatever
FROM mytable
WHERE date >= now() - INTERVAL ? DAY
");
$sth->execute ($numdays);
In this case $numdays gets properly escaped by Perl - if it contains
garbage, the query will fail, but it can't do dangerous things with
your database.
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]
