For example, if you are not quoting your criteria:
sql = mysql_query("select * from users where name=".$name);if someone enters the following in the name field, you're toast: "Jim; delete from users;"
on the contrary:
sql = mysql_query("select * from users where name='".$name."'");will simply look for a user with a name of "Jim; delete from users;" and return no results found.
This is just one example. Your queries look fine.
At 08:58 AM 7/7/2004, Gabe wrote:
Can someone help me understand how people are able to use SQL maliciously if you don't protect against it in PHP? For example, I've written a very simple search SQL statement that takes the value of a variable for the search criteria ( from a webpage form ). I don't understand how someone could enter an SQL statement that could be malicious. Here's the SQL statement that I run once I have the search criteria stored in $strCriteria:
SELECT autoQuesID, fldQuesTitle, fldBody FROM tblFAQ_Question WHERE (blnHidden = FALSE AND ((fldBody LIKE '%$strCriteria%') OR (fldQuesTitle LIKE '%$strCriteria%')));
I know in general that protecting against someone entering SQL is a must . So I guess I'm just wondering if anyone has any real-world experience with how people can take advantage of SQL and forms.
Thanks!
Gabe
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
