On 12/09/2020 11:45, Andy Burns wrote:
> The Natural Philosopher wrote:
>
>> Andy Burns wrote:
>>
>>> The Natural Philosopher wrote:
>>>
>>>>      $query = "insert into data set";
>>>>      $flag=0;
>>>>      foreach($fields as $name) //read variables and add to query
>>>>          {
>>>>          if($flag) $query .=',';
>>>>          if(isset($_GET[$name]))
>>>>              $query.= sprintf(" %s='%s'",$name,$_POST[$name]);
>>>>          else
>>>>              $query.= sprintf(" %s='%s'",$name,"");
>>>>          $flag++;
>>>>          }
>>>
>>> 
>>
>> funny, but obviously you don't understand sql
>
> I don't claim to specialize in SQL, but I've done my share, however it's
> your bugs being discussed not mine.
>
>> as the sample code specifically cannot do that kind of thing.
>
> Can I smuggle a single-quote and a semicolon into the  $_POST[] array,
> so that you concatenate it onto your query string thinking it's merely a
> value?  Yes I can.
no. Try it


>
>> That is the reason why the SQL command is not passed.
>> And it is the reason why all the arguments are 'quoted'.
>
> If you think those mitigate SQL injection attacks you are badly
> mistaken.  Your code could use a fixed query string referencing
> @variables which are initialised with the values passed.

It could.


--
"Women actually are capable of being far more than the feminists will
let them."

--- SoupGate-Win32 v1.05