Error: Unable to open the database file

Dr. Hawkins dochawk at gmail.com
Thu Apr 7 19:31:45 EDT 2016


On Wed, Apr 6, 2016 at 1:03 PM, Peter Haworth <pete at lcsql.com> wrote:

> Now you've got me worried!  I had the impression that since the php scripts
> run on my server and access the mySQL database on the same server, there
> wouldn't be any sql injection issues, particularly since I never send any
> SQL statements from my client app to the server.
>

In the middle of the text, a user puts something like

'; || SELECT * FROM fizzbin ;DROP TABLE fizz bin; SELECT '


I've probably hacked up the syntax, and there might be an intermediate
query needed to get the table name, but something like this grabs all your
data and deletes it while you thought you were doing an INSERT or such.
-- 
Dr. Richard E. Hawkins, Esq.
(702) 508-8462



More information about the use-livecode mailing list