From: Date: February 15 2005 5:33pm
Subject: Re: ERROR 1037 caused by simple query
List-Archive: http://lists.mysql.com/win32/16583
Message-Id: <6.0.1.1.0.20050215102243.02a9e718@mail.stdnet.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed

At 10:18 AM 2/15/2005, Markus Hoenicka wrote:
>SGreen@stripped was heard to say:
> > You have discovered one of my pet peeves. You are quoting numbers. Numbers
> > do not need quotes unless they are being STORED AS CHARACTERS.

I would suggest the opposite: ALWAYS quote all your arguments, even 
numbers, especially if you're dealing with a web application.

Consider the following queries where ID is an Integer and "123" is passed 
in from a web application:
   #1) SELECT * FROM Users WHERE ID=123;
   #2) SELECT * FROM Users WHERE ID="123";

Now let's pretend that the application programmer didn't perform proper 
data validation on the incoming "123" value.  Let's also pretend that some 
snot-nosed punk manages to enter "123; DELETE FROM Users" as his user 
ID.  Now, your queries are...
   #1) SELECT * FROM Users WHERE ID=123; DELETE FROM Users;
   #2) SELECT * FROM Users WHERE ID="123; DELETE FROM Users";

#1 will likely execute BOTH queries (yours and the snot-nosed's).  Buh-bye 
Users table.  #2 will not execute.


- Jonathan Lampe, GCIA, GSNA
- jonathan.lampe@stripped 

******************* PLEASE NOTE ******************* 

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed.
If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.