From: | Davi Leal <davileal(at)terra(dot)es> |
---|---|
To: | pgsql-php(at)postgresql(dot)org |
Cc: | web-dev(at)gnuherds(dot)org |
Subject: | postgreSQL web form; Security |
Date: | 2003-07-14 19:10:14 |
Message-ID: | 200307142110.14069.davileal@terra.es |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-php |
Hi,
We are developing a web page: PHP & postgreSQL. We can transform the below (a)
query to get the (b) query, if we add,
"01001'); DELETE * FROM tbHosp; INSERT INTO tbRev (Id) VALUES ('01001"
, as the value of Id in the web form.
(a) INSERT INTO tbRev (Id) VALUES ('01001');
(b) INSERT INTO tbRev (Id) VALUES ('01001'); DELETE FROM tbHosp; INSERT INTO
tbRev (Id) VALUES ('01001');
We are able to delete registers. We have checked and it works!. Microsoft
Access 2000 does not allow me execute a composed query. It warns with
something similar to "ERROR; -2147217900 [Microsoft][Microsoft Access ODBC
Driver] Characters after the end of the first SQL query".
How can we avoid this security risk using PHP & postgreSQL?.
Regards,
Davi
From | Date | Subject | |
---|---|---|---|
Next Message | Lynna Landstreet | 2003-07-15 19:38:42 | Re: pg_query undefined? |
Previous Message | Gerd Terlutter | 2003-07-13 13:59:36 | Re: pg_query undefined? |