Marcelo Wolfgang wrote:
and what if $_GET['id'] is something like
"1; DROP TABLE tb_emails;"
??
SQL injection just waits to happen
Something I just thought, he could do a drop table inside an update
statement ? because the query is :
UPDATE tb_emails SET bol_active = $action WHERE auto_id = $id
so if he changed the $action or the $id, it will be inside the UPDATE,
doesn't changing any of the variables to a DROP TABLE just give an
error ?
TIA
Marcelo
No. That's why he put the semi-colon after the 1.
It becomes
update tb_emails set bol_active = $action where auto_id = 1; drop table
tb_emails;
That's two separate statements that will be happily executed if you're
not careful.
Try it (on a scratch table).
Lori
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
