Vulnerability Development mailing list archives
Re: sql injection and php
From: Greg Hunt <greg () supplyedge com>
Date: Wed, 29 May 2002 11:24:52 -0700
You can do much damage without using the quote character: http://example.com/show.php?id=3;+DELETE+FROM+Customer
I thought either PHP or MySQL won't allow more than one query in a mysql_query() call. I tested the above out on a small script that does a query like: $query = mysql_query("select * from test where id = $_GET[id]"); and the script returns this: You have an error in your SQL syntax near ';DELETE from test' at line 1 -Greg -- ------SupplyEdge------- Greg Hunt 800-733-3380 x 107 greg () supplyedge com
Current thread:
- sql injection and php Jacek Lach (May 28)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Greg Hunt (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Greg Hunt (May 29)
- Re: sql injection and php Florian Weimer (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Jacek Lach (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Lincoln Yeoh (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)