On 15.05.2015 07:21, Karl DeSaulniers wrote:
On May 14, 2015, at 11:11 PM, Onatawahtaw <onatawahtaw@xxxxxxxx> wrote:
Hi Karl,
If you look at the link you provided you'll notice that some of the code is for ASP.net and some is for PHP.
I have looked in the link. Most problems by inject an sql-Code is to add
something in the where-clause let it end with a semicolon and add an
additional sql-command behind the semicolon. In this case you have two
SQL-Command. The first maybe a Select-Command and the next can be to
drop a whole table with all its content.
One thing you can do is to trim the Select-Statement and trough all
behind a semicolon in addition the semicolon away.
Another securitymethod of mysql that the fieldvarables are capseled by
escaping. So mysql get note that this is a variable content for a
formfield and should looked like that.
Regards,
Ruprecht
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
