sql = “select * from foo where key = '” + myvar + “'”
If you encourage your students to do that, sooner or later their databases
will get hacked
···
----- Original Message -----
I was generating SQL statements at the time.
This isn’t part of any tutorial; it’s for my own stuff. In any case, I
don’t see how you can say that the above code will eventually get the
database hacked. Clearly, it depends on where ‘myvar’ is coming from.
These are not strings from the cgi post hash! (I’m not evaling any strings
from the user, either. ‘myvar’ could come from trusted session data, or
from a previous query…
sql = “select * from foo where key = '” + myvar + “'”
If you encourage your students to do that, sooner or later their databases
will get hacked
This isn’t part of any tutorial; it’s for my own stuff. In any case, I
don’t see how you can say that the above code will eventually get the
database hacked. Clearly, it depends on where ‘myvar’ is coming from.
I think Brian was talking about the “SQL injection vulnerability”.
Consider:
myvar = “’ or ‘’ = '”
… you’ll end up with complete dump of foo. That’s not too bad in case
of select (as it will “only” show some quasi-sensitive data). Now consider
the same code with delete statement.
W.
···
–
Wejn <lists+rubytalk(at)box.cz>
(svamberk.net’s Linux section, fi.muni.cz student, linuxfan)
Bored? Want hours of entertainment? <<<
Just set the initdefault to 6! <<<
