Error: Unable to open the database file
Mark Wieder
mwieder at ahsoftware.net
Thu Apr 7 22:18:39 EDT 2016
On 04/07/2016 06:41 PM, Peter Haworth wrote:
> Right, I think I have that covered since I prepare and bind the data in
> separate steps using the php functions for those purposes.
>
> So instead of assembling a SELECT statement like this:
>
> SELECT col1,col2,col3 FROM table WHERE col4='<data entered by user>'
>
> ... and then executing it directly, I prepare this statement:
>
> SELECT col1,col2,col3 FROM table WHERE col4=?
>
> ...and then bind the supplied user data to the ? placeholder. Any injected
> data for the col4 value is treated as part of the value to be searched for
> in col4 rather than an extension of the SELECT statement.
... WHERE col4='*' or 1=1;
--
Mark Wieder
ahsoftware at gmail.com
More information about the use-livecode
mailing list