Marian Heddesheimer wrote:
The reason is, when a user on your website should enter a name and
enter this instead:
myname'; drop table customers;
your php script will create a statement like this:
$query = "set name='myname'; drop table customers;"
This is only possible if you don't escape slashes (and ensure integers are
cast as such) when you create the query; and you should *always* do this
otherwise people *will* attempt to do exactly this. It's called sql
injection.
So say you were expecting a variable called "name" to come in from the query
string, you'd construct your query like so:
$sql = "SELECT something FROM sometable WHERE name = '" .
addslashes($_GET['name']) . "'";
Now if they'd set name to "myname'; drop table customers;" you'd end up
with:
SELECT something FROM sometable WHERE name = '"myname\'; drop table
customers;'
Because the ' in the variable is now escaped, the whole attempted sql
injection will go to the server as the string to match against, instead of
trying to run two queries.
--
Chris Hope
The Electric Toolbox -
http://www.electrictoolbox.com/