MySQL: PHP or direct access?

Peter Haworth pete at
Thu Aug 13 14:37:00 EDT 2015

Or even worse:

 SELECT content FROM data WHERE user=<actualuserid>;DROP TABLE data

On Thu, Aug 13, 2015 at 10:50 AM Mark Waddingham <mark at> wrote:

> Here the input field is not being validated in anyway, nor is the value
> being escaped. This means that I am then free (as a user of the client)
> to put anything I want into that field. Imagine I put the following into
> the field:
>    1 OR user=1 AND id=2
> The query the client ends up sending to the DB is:
>    SELECT content FROM data WHERE user=<actualuserid> AND id=1 OR user=1
> AND is=2
> use-livecode mailing list
> use-livecode at
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:

More information about the Use-livecode mailing list