> Since I'm an SQL newbie, I'd be curious to know how someone could supply
> the appropriate input to do bad things on the SQL server - either in R/O or
> R/W mode
well, i didn't dive too deeply into this subject, but afaik, as long as
the user-input is just Strings that get escaped, there shouldn't be a
problem (correct me if i'm wrong). But if user-input gets written into
an INT-field (or any other data type that does not require those "'"),
you're in trouble if you write without server-side checking... imagine a
HTML-form containing only integer values, in combination with a query
like:
SELECT Name FROM Users WHERE ID = <user_input> ORDER BY Name
no problem if <user_input> is really integer... but what about
5; DROP TABLE SomeOtherTable; SELECT Name FROM Users WHERE ID = 5
? Hope you've got a backup :)
cheers, florian
--
Florian Specker, specker_at_icu.unizh.ch
-------------------------------------------------------
Ich brauche keine Lebensversicherung. Ich möchte,
dass alle richtig traurig sind, wenn ich einmal sterbe.
Received on Feb 08 2001
Intro
