[Date Prev][Date Next][Thread Prev][Thread Next][Interchange by date
][Interchange by thread
]
[ic] Writing informaton to database
Steven Potter wrote:
> >
> > Although I don't understand your security concern with [query] and SQL,
> > I would suggest you edit the catalogue's etc/log_transaction file.
> > Copy the existing method of writing to the transactions table, but use
> > your own table name and contents.
> >
> The security concern with [query] is that if I had a statement like the
> following:
>
> [query sql=INSERT INTO table VALUES('[first_name]',.....]
>
> What if the user was to enter something like this into the first_name field:
>
> ; DELETE FROM table WHERE 1=1; That could cause some serious problems...
>
Then the actual SQL would look like this:
INSERT INTO table VALUES('; DELETE FROM table WHERE 1=1;', ... );
That would insert the specified value into the table. It would not
execute a DELETE. As long as you escape any quotes etc. properly,
you will not have a problem.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin@cursor.uk.com
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/