MySQL: PHP or direct access?
Peter Haworth
pete at lcsql.com
Thu Aug 13 14:37:00 EDT 2015
Or even worse:
SELECT content FROM data WHERE user=<actualuserid>;DROP TABLE data
On Thu, Aug 13, 2015 at 10:50 AM Mark Waddingham <mark at livecode.com> wrote:
>
> Here the input field is not being validated in anyway, nor is the value
> being escaped. This means that I am then free (as a user of the client)
> to put anything I want into that field. Imagine I put the following into
> the field:
> 1 OR user=1 AND id=2
>
> The query the client ends up sending to the DB is:
> SELECT content FROM data WHERE user=<actualuserid> AND id=1 OR user=1
> AND is=2
>
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
More information about the use-livecode
mailing list