On Thursday 19 June 2008 11:20, Michael Mientus wrote:
On Sun, Jun 15, 2008 at 6:03 PM, Cristian Rodríguez wrote:
$sql = "SELECT * FROM names WHERE ID=$ID";
^^ security hole !!!
...
How is ID=$ID a security hole?
If it comes from user-submitted input, it can be used to alter the syntax of the request and fundamentally alter the DBMS command executed. That is the reason for Prepared Statements, which are like pre-compiled statement templates. No matter what parameters get inserted into a Prepared Statement, it will not change the structure of the SQL statement. Search the Web for "Injection Exploit" to get more information on this topic.
Mike
Randall Schulz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org