On 12/09/2020 08:04, Ahem A Rivet's Shot wrote:
> On 12 Sep 2020 05:03:48 GMT
> A. Dumas  wrote:
>
>> The Natural Philosopher  wrote:
>>> On 11/09/2020 19:50, Andy Burns wrote:
>>>> The Natural Philosopher wrote:
>>>>
>>>>>       $query = "insert into data set";
>>>>>       $flag=0;
>>>>>       foreach($fields as $name) //read variables and add to query
>>>>>           {
>>>>>           if($flag) $query .=',';
>>>>>           if(isset($_GET[$name]))
>>>>>               $query.= sprintf("
%s='%s'",$name,$_POST[$name]);
>>>>>           else
>>>>>               $query.= sprintf(" %s='%s'",$name,"");
>>>>>           $flag++;
>>>>>           }
>>>>
>>>> 
>>> funny, but obviously you don't understand sql as the sample code
>>> specifically cannot do that kind of thing.
>>> That is the reason why the SQL command is not passed.
>>> And it is the reason why all the arguments are 'quoted'.
>
>  That is insufficient protection.
>
>> You mixed up _GET and _POST, there are no sanity checks and you just dump
>> it in the sql string. What if _POST[$name] starts with '; ?
>
I adapted it from a POST script

if _POST[$name] starts with '; you will get an sql error whem sql
encounters set field = '';'

>  Precisely.
>
wrong

>> The key is to
>> use mysqli_real_escape_string($dblink, $strval) or the equivalent for your
>> db.
>
>  Doesn't mysql provide prepared statements with placeholders like
> sqlite does ? Those are the safest and easiest way to put user date into
> SQL.
>
Of course. I was merely illustrating the principle. using https and curl
with a password means the only person sending is your script anyway.

It is unlikely that the NSA would wish to destroy your climate data,
though for sure the eco warriors would want to make it scarier. But they
are crap at everything including SQL.


--
"Anyone who believes that the laws of physics are mere social
conventions is invited to try transgressing those conventions from the
windows of my apartment. (I live on the twenty-first floor.) "

Alan Sokal

--- SoupGate-Win32 v1.05