List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:December 7 1999 8:26pm
Subject:Re: stoopid date acceptance
View as plain text  
At 5:07 PM +0100 11/30/99, Matthias Urlichs wrote:
>Hi,
>
>Vivek Khera:
>>
>>  FA> 	So, by extension, i should verify first if my integers are 
>>integers, or?...
>>  Yes.  It is your responsibility to ensure your data is what you expect
>>  it to be before storing it.  If not, then you risk trying to store
>>  certain data into a format or space that cannot store it.  Don't they
>>  teach these things in school anymore? ;-)
>>
>Case in point, somebody types "0;drop table foobar;" into your nice
>"enter a serial number here" field.
>
>Oops.

I've seen this type of exploit before, but how does that actually
work in MySQL?  You can only issue a single query at a time through
the APIs.

If you executed the query by forking off a mysql client, I can see
why that would be a problem, but that would be highly inefficient.

-- 
Paul DuBois, paul@stripped
Thread
stoopid date acceptanceFlorin Andrei30 Nov
  • Re: stoopid date acceptancePaul DuBois30 Nov
  • Re: stoopid date acceptanceFlorin Andrei30 Nov
  • Re: stoopid date acceptanceFlorin Andrei30 Nov
    • Re: stoopid date acceptanceVivek Khera30 Nov
      • Re: stoopid date acceptanceMatthias Urlichs30 Nov
        • Re: stoopid date acceptancePaul DuBois7 Dec
    • Re: stoopid date acceptancePaul DuBois7 Dec
  • Re: stoopid date acceptanceSasha Pachev8 Dec
  • Re: stoopid date acceptanceTonu Samuel8 Dec