Re: SQL Injection
Rick
Thanks for that but I believe I am correct in saying that mysql_real_escape_string / mysqli_real_escape_string are php only whereas for my sins I use asp.net.
As to your other points you are quite right, if you give users the ability to write and execute their own SQL then you will need to apply a much higher level of validation. For instance in your example of LIMIT you need to prevent people writing LIMIT = ten because that is another syntax error.
But I suggest that it would be unwise to design a system which allows users to write and execute their own SQL against a database containing information that they are not supposed to see.
So I remain perplexed and look forward to a real example how SQL injection can be achieved in properly written code which creates dynamic SQL.
Subject
Written By
Posted
November 28, 2009 10:43AM
November 28, 2009 11:48AM
November 29, 2009 09:32AM
November 30, 2009 12:21PM
November 29, 2009 12:03AM
Re: SQL Injection
November 29, 2009 09:49AM
November 29, 2009 11:59AM
November 29, 2009 01:37PM
November 29, 2009 02:36PM
November 29, 2009 03:09PM
November 30, 2009 08:45AM
November 30, 2009 09:51AM
November 30, 2009 10:17AM
November 30, 2009 08:39AM
November 30, 2009 10:55AM
November 30, 2009 11:34AM
December 01, 2009 04:14AM
Sorry, you can't reply to this topic. It has been closed.
Content reproduced on this site is the property of the respective copyright holders.
It is not reviewed in advance by Oracle and does not necessarily represent the opinion
of Oracle or any other party.