p.f.moore at gmail.com
Tue Apr 26 10:29:46 CEST 2005
On 4/26/05, Donovan Preston <dp at ulaluma.com> wrote:
> I'm trying to show my wife how to get some simple things done with
> PHP, mostly because there are huge reference books she can read and
> follow. (It's unfortunate that there are no nice Python solutions I
> can teach her, including my own, but we'll fix that, right?) In the
> example I'm following to construct some SQL, they do:
> $bar = 'some string'
> $baz = 42
> $query = "INSERT INTO foo VALUES ('$bar', $baz)"
> Are you telling me if $bar contains ' then all hell will break loose?
Very definitely. With something like
$bar = 'joe\'s string'
the "hell" is a relatively benign syntax error in the SQL. However, if
I had a bit of time, I could construct a value for $bar which could do
all sorts of exciting things to your data. This is what people are
talking about when they refer to "SQL Injection" attacks.
Google for "SQL Injection" if you want to know more. Or for a web page
which walks you through how to execute a SQL injection attack on a
website, look at http://www.unixwiz.net/techtips/sql-injection.html -
great reading if you want to increase your level of paranoia :-)
More information about the Web-SIG