Vulnerability Development mailing list archives

Re: sql injection and php

From: "Sverre H. Huseby" <shh () thathost com>
Date: Wed, 29 May 2002 23:05:54 +0200

[Greg Hunt]

|   I thought either PHP or MySQL won't allow more than one query in a
|   mysql_query() call.

PostgreSQL (which I use) supports it.  MySQL did not support it the
last time I checked (a long time ago), but I found a TODO item that
stated it should be supported in the future.

I still think it is a bad idea to let anyone pass whatever they wish
to the database.  What happens when you upgrade your database to a
product/version that supports what the original database did not?  Who
is responsible for fixing the new security problems?  Will anyone
realise that you have any problems to fix at all, as soon as all
functionality is in place?

Letting it through because "the database I currently use does not
support it" has very little to do with secure programming.  In my
humble opinion.


Sverre.

-- 
shh () thathost com                     Computer Geek?  Try my Nerd Quiz
http://shh.thathost.com/                http://nerdquiz.thathost.com/

Current thread:

sql injection and php Jacek Lach (May 28)
- Re: sql injection and php Sverre H. Huseby (May 29)
  - Re: sql injection and php Greg Hunt (May 29)
    - Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Florian Weimer (May 29)
  - Re: sql injection and php Sverre H. Huseby (May 29)
    - Re: sql injection and php Jacek Lach (May 29)
- Re: sql injection and php Lincoln Yeoh (May 29)