Re: PS Re: GUI designer in html [message #182468 is a reply to message #182467] |
Mon, 05 August 2013 23:59 |
Jerry Stuckle
Messages: 2598 Registered: September 2010
Karma:
|
Senior Member |
|
|
On 8/5/2013 7:32 PM, The Natural Philosopher wrote:
> On 05/08/13 23:55, Norman Peelman wrote:
>> On 08/05/2013 10:57 AM, Twayne wrote:
>>> On 2013-08-05 12:41 AM, J.O. Aho wrote:
>>>> On 05/08/13 02:59, Norman Peelman wrote:
>>>> > On 08/04/2013 01:09 PM, J.O. Aho wrote:
>>>>
>>>
>>> ....
>>>
>>>> >
>>>> > That's only if you go out of your way to enable multiple statements
>>>> > by using 'mysqli_multi_query()', which doesn't support prepared
>>>> > statements. By default mysqli_query() and mysqli_real_query() do not
>>>> > allow multiple queries separated by semi-colons.
>>>> >
>>>> > http://us2.php.net/manual/en/mysqli.quickstart.multiple-statement.php
>>>>
>>>> Unless something changed, mysqli_query supports multiple statements,
>>>> but
>>>> the return value do not support to give you the result from all the
>>>> queries, I think it returned the last one.
>>>>
>>>
>>> Quite correct and as the manual states;
>>
>> No.
>>
>>> "
>>> MySQL optionally allows having multiple statements in one statement
>>> string. Sending multiple statements at once reduces client-server round
>>> trips but requires special handling.
>>>
>>> Multiple statements or multi queries must be executed with
>>> mysqli_multi_query(). The individual statements of the statement string
>>> are separated by semicolon. Then, all result sets returned by the
>>> executed statements must be fetched.
>>>
>>> The MySQL server allows having statements that do return result sets and
>>> statements that do not return result sets in one multiple statement.
>>> "
>>>
>>
>> You need to scroll down to the middle of the page and read
>> *Security considerations* and *Example #2*.
>>
>>
> Furthermore the manual for mysql_query (as opposed to mysqli_query)
> actually states:
>
> "*mysql_query()* sends a unique query *(multiple queries are not
> supported)* to the currently active database on the server that's
> associated with the specified /|link_identifier|/. "
>
> so it would seem that this actual sql injection method is an urban myth.
>
> From PHP anyway.
>
> ISTR I actually tried it once to see if my code was robust. I failed to
> destroy the database or indeed any data, at all.
>
Incorrect (as usual).
It only means you can't run multiple SQL statements. But that is only
ONE method of SQL injection; it is quite possible to screw up a database
in a single SQL statement.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|