On 12 Sep 2020 05:03:48 GMT
A. Dumas  wrote:

> The Natural Philosopher  wrote:
> > On 11/09/2020 19:50, Andy Burns wrote:
> >> The Natural Philosopher wrote:
> >>
> >>>      $query = "insert into data set";
> >>>      $flag=0;
> >>>      foreach($fields as $name) //read variables and add to query
> >>>          {
> >>>          if($flag) $query .=',';
> >>>          if(isset($_GET[$name]))
> >>>              $query.= sprintf("
%s='%s'",$name,$_POST[$name]);
> >>>          else
> >>>              $query.= sprintf(" %s='%s'",$name,"");
> >>>          $flag++;
> >>>          }
> >>
> >> 
> > funny, but obviously you don't understand sql as the sample code
> > specifically cannot do that kind of thing.
> > That is the reason why the SQL command is not passed.
> > And it is the reason why all the arguments are 'quoted'.

 That is insufficient protection.

> You mixed up _GET and _POST, there are no sanity checks and you just dump
> it in the sql string. What if _POST[$name] starts with '; ?

 Precisely.

> The key is to
> use mysqli_real_escape_string($dblink, $strval) or the equivalent for your
> db.

 Doesn't mysql provide prepared statements with placeholders like
sqlite does ? Those are the safest and easiest way to put user date into
SQL.

--
Steve O'Hara-Smith                          |   Directable Mirror Arrays
C:\>WIN                                     | A better way to focus the sun
The computer obeys and wins.                |    licences available see
You lose and Bill collects.                 |    http://www.sohara.org/

--- SoupGate-Win32 v1.05