Re: sql injection and php

From: Greg Hunt (gregat_private)
Date: Wed May 29 2002 - 11:24:52 PDT

Next message: Sverre H. Huseby: "Re: sql injection and php"

Previous message: Knud Erik Højgaard: "Re: DirectX 9 SDK, Microsoft have got balls...."
In reply to: Sverre H. Huseby: "Re: sql injection and php"
Next in thread: Sverre H. Huseby: "Re: sql injection and php"
Next in thread: Florian Weimer: "Re: sql injection and php"
Reply: Sverre H. Huseby: "Re: sql injection and php"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> You can do much damage without using the quote character:
> 
>   http://example.com/show.php?id=3;+DELETE+FROM+Customer
I thought either PHP or MySQL won't allow more than one query in a mysql_query() call. I tested the above out on a small script that does a query like:

$query = mysql_query("select * from test where id = $_GET[id]");

and the script returns this:
You have an error in your SQL syntax near ';DELETE from test' at line 1

-Greg
-- 
------SupplyEdge-------
Greg Hunt
800-733-3380 x 107
gregat_private

Next message: Sverre H. Huseby: "Re: sql injection and php"
Previous message: Knud Erik Højgaard: "Re: DirectX 9 SDK, Microsoft have got balls...."
In reply to: Sverre H. Huseby: "Re: sql injection and php"
Next in thread: Sverre H. Huseby: "Re: sql injection and php"
Next in thread: Florian Weimer: "Re: sql injection and php"
Reply: Sverre H. Huseby: "Re: sql injection and php"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 29 2002 - 13:56:17 PDT