On 1 Jul 2001 aliasat_private wrote: > arbitrary PHP Codes as apache user. > From: <sl4shat_private> > MIME-Version: 1.0 > Content-Type: text/plain; charset="iso-8859-1" > Content-Transfer-Encoding: quoted-printable > Date: Sun, 1 Jul 2001 23:43:17 GMT > Message-id: <200107012343.115eat_private> > > Note : sorry for my pity english. > > ***************************************************** > ******************************* > > First of all, i want to ask a question, is it normal > that if, in a MySQL query -via > PHP-, i put "select * from $table" . "_files where > ID=3D1" and i post table=3D"atable #", > MySQL consider the new query as a valid one (so the > final query will be > "select * from atable") ? It's, in my opinion, a > serious hole in MySQL query... > (I use mysql_query() to do this) It's not a MySQL problem, but a problem of writing good code ... You get the same problems when doing those things with eg. Oracle. You NEVER should concatenate sql queries. You'll have the same problems when concatenating requests that will be executed on system level. For example doing the lousy sendmail call from a CGI program without checking the parameters. One solution is to check the parameters for escape characters as it's been done in unix systme calls normally ... The better way is to bind all variables to a database call. This way the sql-query itself is a constant string. The bound parameters can't be manipulated (if the database engine does not contain any bugs ;-) I think it's a common mistale in of many (so called) programmers to contatenate the requests ... it's less typing ... So it's not a problem of MySQL and it's not a problem of PHP either. You can do the same things using perl for example ... > ***************************************************** > ******************************* ... > e WAP... > http://www.ifrance.com/_reloc/email.emailif > tschau Wolfgang
This archive was generated by hypermail 2b30 : Mon Jul 02 2001 - 12:43:51 PDT