Error: Unable to open the database file
Peter Haworth
pete at lcsql.com
Fri Apr 8 13:25:53 EDT 2016
Gave that a whirl with col4=? and a bind parameter of "*" OR 1=1 for it and
it returned no data. Pretty sure it takes the whole string as a search
value for col4.
On Thu, Apr 7, 2016 at 7:19 PM Mark Wieder <mwieder at ahsoftware.net> wrote:
> On 04/07/2016 06:41 PM, Peter Haworth wrote:
> > Right, I think I have that covered since I prepare and bind the data in
> > separate steps using the php functions for those purposes.
> >
> > So instead of assembling a SELECT statement like this:
> >
> > SELECT col1,col2,col3 FROM table WHERE col4='<data entered by user>'
> >
> > ... and then executing it directly, I prepare this statement:
> >
> > SELECT col1,col2,col3 FROM table WHERE col4=?
> >
> > ...and then bind the supplied user data to the ? placeholder. Any
> injected
> > data for the col4 value is treated as part of the value to be searched
> for
> > in col4 rather than an extension of the SELECT statement.
>
> ... WHERE col4='*' or 1=1;
>
> --
> Mark Wieder
> ahsoftware at gmail.com
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
More information about the use-livecode
mailing list