Thursday, 15 November 2018

php - executing multi query in mysql_query() function



suppose i have a query like this :



$std_id =   $_POST['std_id'];

$name   =   $_POST['name'];
$family =   $_POST['family'];

$sql    =   "insert into student set
 std_id =   $std_id,
 name   =   '$name',
 family =   '$family'"; 
$query  =   mysql_query($sql,$conn);



i read in a php security book that if user enter a value for family field like :



ahmad';drop database test#


can delete database test;



but we know that the mysql_query() function only allow to execute one query .
i want to know how can this input to be unsafe


Answer



There are many delusions in your question.
Let's sort them out.





  1. mysql_query() doesn't support multiple queries execution.
    (so, it is useless to delete anything)

  2. dropping tables in the separate query is not the only way of the SQL injection.
    (so, it is useless to delete anything again)

  3. To protect your query you have to follow some well-known techniques, not some handmade inventions of doubtful efficiency.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

php - file_get_contents shows unexpected output while reading a file

I want to output an inline jpg image as a base64 encoded string, however when I do this : $contents = file_get_contents($filename); print &q...