MySQL :: Using parameters to prevent disaster

Contact MySQL |
Login | Register

The world's most popular open source database

Documentation Downloads MySQL.com

Developer Zone

Section Menu:

New Topic

Using parameters to prevent disaster

Posted by: Martin Sanneblad
Date: November 22, 2004 04:58AM

How can using parameters prevent db-disaster?

Example:
(where eMail is a string containing data which the user submitted)
string query = "UPDATE `customer` SET `email` = eMail WHERE `custNo` = 1";

I read that a malicious user could put some escape-characters to trick the database into doing all sorts of bad stuff. Is this possible with the above code? Would using parameters prevent such?

Thanks,
Martin

Navigate: Previous Message• Next Message

Options: Reply• Quote

Subject

Written By

Posted

Using parameters to prevent disaster

Martin Sanneblad

November 22, 2004 04:58AM

Re: Using parameters to prevent disaster

Richard Toohey

November 24, 2004 03:12PM

Re: Using parameters to prevent disaster

Reggie Burnett

November 30, 2004 04:29PM

Sorry, you can't reply to this topic. It has been closed.

Content reproduced on this site is the property of the respective copyright holders. It is not reviewed in advance by Oracle and does not necessarily represent the opinion of Oracle or any other party.