Exactly, the only thing you can do with most versions of MySQL would be a UNION SELECT to pull, say, a session ID from a table, to hijack the session. I've never seen a DROP DATABASE command work, and if it does, what the hell are you doing allowing your unpriv'd user drop the database?
And DBI docs tell you to use question mark in statements (do and prepare functions) and then use bind variables in do and execute functions.For example:$sth = $dbh->prepare("INSERT INTO table(foo,bar,baz) VALUES (?,?,?)");$sth->execute( $foo, $bar, $baz ); # in following loop maybe
merrebornDec 28, 2006
Perl is just as vulnerable to SQL injection, XSS and CSRF as any other language.
akinderDec 28, 2006
Exactly, the only thing you can do with most versions of MySQL would be a UNION SELECT to pull, say, a session ID from a table, to hijack the session. I've never seen a DROP DATABASE command work, and if it does, what the hell are you doing allowing your unpriv'd user drop the database?
distiDec 29, 2006
And DBI docs tell you to use question mark in statements (do and prepare functions) and then use bind variables in do and execute functions.For example:$sth = $dbh->prepare("INSERT INTO table(foo,bar,baz) VALUES (?,?,?)");$sth->execute( $foo, $bar, $baz ); # in following loop maybe
copeDec 29, 2006
/** Break a string down to add to the database *
rspeedDec 30, 2006
@ Sp4nkI hope you're not a PHP developer. If you were, and I were your boss, I'd kick your ass.
havensbreezeMar 3, 2007
good article about PHP and security
Closed AccountOct 28, 2008
what a good info for me...thanks bro...i will try it.<a class="user" href="http://fastfreephplearning.blogspot.com/">http://fastfreephplearning.blogspot.com/</a>