[ic] "==" and "!=" as DB field values
Mike Heins
mike at perusion.com
Tue Oct 28 11:01:44 EST 2003
Quoting Doug Alcorn (doug at lathi.net):
> Stefan Hornburg <racke at linuxia.de> writes:
>
> > $Db{products}->query("select * from products where name = '$CGI->{foo}'");
> >
> > => that's unsafe IMHO
>
> Just to clarify, if
>
> $GCI->{foo} = "'; delete from products;'"
>
> Then there could be problems.
This is not correct; IC doesn't pass statements to a SQL shell, and
you cannot pass multiple commands in this way.
It might be possible to construct a subselect, but I hope that
no SQL allows a delete or update as a side-effect of a subselect.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.513.523.7621 <mike at perusion.com>
For a successful technology, reality must take precedence over public
relations, for Nature cannot be fooled. -- Dick Feynman
More information about the interchange-users
mailing list