MySQL: PHP or direct access?

Peter Haworth pete at lcsql.com
Thu Aug 13 14:37:00 EDT 2015


Or even worse:

 SELECT content FROM data WHERE user=<actualuserid>;DROP TABLE data

On Thu, Aug 13, 2015 at 10:50 AM Mark Waddingham <mark at livecode.com> wrote:

>
> Here the input field is not being validated in anyway, nor is the value
> being escaped. This means that I am then free (as a user of the client)
> to put anything I want into that field. Imagine I put the following into
> the field:
>    1 OR user=1 AND id=2
>
> The query the client ends up sending to the DB is:
>    SELECT content FROM data WHERE user=<actualuserid> AND id=1 OR user=1
> AND is=2
>
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



More information about the Use-livecode mailing list