Re: Getting a value from a PHP script

$result = mysql_query("SELECT * FROM tablename WHERE username = '$user'"); You have an SQL injection vulnerability there.

Makeshifts last the longest.

Comment on Re: Getting a value from a PHP script Download Code

Replies are listed 'Best First'.
Re: Re: Getting a value from a PHP script by jens (Pilgrim) on Sep 18, 2002 at 23:14 UTC
You have an SQL injection vulnerability there. Forgive my ignorance, but what is an "SQL injection vulnerability"? -- Microsoft delendum est.	[reply]
Re^2: Getting a value from a PHP script by Aristotle (Chancellor) on Sep 18, 2002 at 23:27 UTC
Insufficient quoting of input data that opens you up to people inserting arbitrary SQL commands in the data they submit to your script. FAQ walkthrough database specific risks lots more on the topic Makeshifts last the longest.	[reply]
Re: Re: Re: Getting a value from a PHP script by thunders (Priest) on Sep 19, 2002 at 00:49 UTC
you'll notice in the code sample i provided i threw in a quesion mark. that is a place holder, a way of ensuring proper quoting with DBI. I'm not sure how PHP implements this. if someone were to spoof their REMOTE_USER string to report `bill' OR 'cracked'='cracked` you suddenly have a breach where all the data in that table is pulled in.	[reply] [d/l]