Re^4: Hacker Proofing My Script

I don't know a heck of a lot about MySQL, but according to gmax's excellent New twist for DBD::mysql, DBD::mysql currently does emulate placeholders but in such a way as to preserve security. I'd suggest reading his node for further details.

Comment on Re^4: Hacker Proofing My Script

Replies are listed 'Best First'.
Re^5: Hacker Proofing My Script by CountZero (Bishop) on Oct 04, 2004 at 22:24 UTC
It doesn't seem to be totally secure: As for LIMIT ?,?. The reason why it was not supported since 2.9002 is that it allowed for sql injection attacks, and it is not trivial to fix, in fact, I just scanned over Patrick's code and found a bug in the LIMIT handling code as can be read in Re: New twist for DBD::mysql. CountZero "If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law	[reply]

Replies are listed 'Best First'.

Re^5: Hacker Proofing My Script
by CountZero (Bishop) on Oct 04, 2004 at 22:24 UTC

As for LIMIT ?,?. The reason why it was not supported since 2.9002 is that it allowed for sql injection attacks, and it is not trivial to fix, in fact, I *just* scanned over Patrick's code and found a bug in the LIMIT handling code

Re: New twist for DBD::mysql

CountZero

"If you have four groups working on a compiler, you'll get a 4-pass compiler." - Conway's Law

[reply]