At 2:38 AM -0500 1999-12-24, Andy wrote:
>At 07:00 AM 12/23/99 -0800, you wrote:
>>Some people might write a website to take user input and directly stuff it
>>into an SQL statement. Say that your Perl code were to look like:
> >$dbh->do( "UPDATE mytable SET selection=\"$userinput\" WHERE
>>What if the user entered $moreuserinput as (15" OR "1"="1)? Then it would
>>change the selection for _all_ rows!
>I'm not sure I understand how the input (15" OR "1"="1) would cause the
>selection field for every row to be updated. Could you explain more?
>I'm new to this security issue. Please bear with me.
>>All data from the user should be appropriately quoted before it's sent to
>>MYSQL. DBI's use of ? is ideal for this:
>>$dbh->do( "UPDATE mytable SET selection=? WHERE id=?", $userinput,
>>This will have the same effect for "normal" user data, but it will always
>>quote the user data as appropriate.
>I'm using php instead of perl, what should I do in the above case?
In Perl DBI, you use the quote() method or placeholders, and then you don't
need to add quotes around the value in the query string, because both of
those methods will add them for you.
$moreuserinput = $dbh->quote ($moreuserinput);
$dbh->do( "UPDATE mytable SET selection=\"$userinput\" WHERE
In PHP, use addslashes(), but in this case you do need to add the quotes
around the value, because addslashes() doesn't do it for you.
$moreuserinput = addslashes ($moreuserinput);
$result = mysql_query ( "UPDATE mytable SET selection=\"$userinput\" WHERE
Paul DuBois, paul@stripped