MySQL :: Re: Unique Constraint Using My Own Definition of "Equals"

Contact MySQL |
Login | Register

The world's most popular open source database

Documentation Downloads MySQL.com

Developer Zone

Section Menu:

New Topic

Re: Unique Constraint Using My Own Definition of "Equals"

Posted by: Rick James
Date: March 07, 2009 11:55PM

Yep, mostly SOL.

The database can do some policing, but not all. While you are protecting your db from your users, ponder this "sql injection" nasty:

The user gets to input his name; let say you put it into $name. Then you execute this SELECT and return the results to him:

SELECT * FROM UserInfo WHERE name = '$name';

Now, let's suppose he fills in the form with

x' OR 'y' = 'y

Then you blissfully dump your entire table for him:

SELECT * FROM UserInfo WHERE name = 'x' OR 'y' = 'y';

Ok maybe that is not a good example, but do protect yourself by checking that numbers contain only digits and that strings are escaped (mysql_real_escape_string() or equivalent).

Navigate: Previous Message• Next Message

Options: Reply• Quote

Subject

Written By

Posted

Unique Constraint Using My Own Definition of "Equals"

B C

March 06, 2009 12:30AM

Re: Unique Constraint Using My Own Definition of "Equals"

Peter Brawley

March 06, 2009 11:21AM

Re: Unique Constraint Using My Own Definition of "Equals"

B C

March 06, 2009 12:33PM

Re: Unique Constraint Using My Own Definition of "Equals"

Rick James

March 07, 2009 06:29PM

Re: Unique Constraint Using My Own Definition of "Equals"

B C

March 07, 2009 10:16PM

Re: Unique Constraint Using My Own Definition of "Equals"

Rick James

March 07, 2009 11:55PM

Re: Unique Constraint Using My Own Definition of "Equals"

B C

March 08, 2009 01:18AM

Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.