Error: Unable to open the database file
dochawk at gmail.com
Fri Apr 8 01:31:45 CEST 2016
On Wed, Apr 6, 2016 at 1:03 PM, Peter Haworth <pete at lcsql.com> wrote:
> Now you've got me worried! I had the impression that since the php scripts
> run on my server and access the mySQL database on the same server, there
> wouldn't be any sql injection issues, particularly since I never send any
> SQL statements from my client app to the server.
In the middle of the text, a user puts something like
'; || SELECT * FROM fizzbin ;DROP TABLE fizz bin; SELECT '
I've probably hacked up the syntax, and there might be an intermediate
query needed to get the table name, but something like this grabs all your
data and deletes it while you thought you were doing an INSERT or such.
Dr. Richard E. Hawkins, Esq.
More information about the use-livecode