[ic] "==" and "!=" as DB field values

Mike Heins mike at perusion.com
Tue Oct 28 11:01:44 EST 2003

Quoting Doug Alcorn (doug at lathi.net):
> Stefan Hornburg <racke at linuxia.de> writes:
> > $Db{products}->query("select * from products where name = '$CGI->{foo}'");
> >
> > => that's unsafe IMHO
> Just to clarify, if
>    $GCI->{foo} = "'; delete from products;'"
> Then there could be problems.

This is not correct; IC doesn't pass statements to a SQL shell, and
you cannot pass multiple commands in this way.

It might be possible to construct a subselect, but I hope that
no SQL allows a delete or update as a side-effect of a subselect.

Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.513.523.7621      <mike at perusion.com>

For a successful technology, reality must take precedence over public
relations, for Nature cannot be fooled. -- Dick Feynman

More information about the interchange-users mailing list