Home > mailing lists

postgreSQL web form; Security - Mailing list pgsql-php

From	Davi Leal
Subject	postgreSQL web form; Security
Date	July 19, 2003 02:07:31
Msg-id	200307142110.14069.davileal@terra.es Whole thread Raw
Responses	Re: postgreSQL web form; Security (Rod Taylor <rbt@rbt.ca>)
List	pgsql-php

Tree view

Hi,

We are developing a web page: PHP & postgreSQL. We can transform the below (a)
query to get the (b) query, if we add,
 "01001'); DELETE * FROM tbHosp; INSERT INTO tbRev (Id) VALUES ('01001"
, as the value of Id in the web form.

(a) INSERT INTO tbRev (Id) VALUES ('01001');

(b) INSERT INTO tbRev (Id) VALUES ('01001'); DELETE FROM tbHosp; INSERT INTO
tbRev (Id) VALUES ('01001');


We are able to delete registers. We have checked and it works!. Microsoft
Access 2000 does not allow me execute a composed query. It warns with
something similar to "ERROR; -2147217900 [Microsoft][Microsoft Access ODBC
Driver] Characters after the end of the first SQL query".


How can we avoid this security risk using PHP & postgreSQL?.

Regards,
Davi

pgsql-php by date:

From: Frank Finner
Date: 19 July 2003, 02:07:30
Subject: Re: Vexing PHP problem - browser hangs.

From: Rod Taylor
Date: 19 July 2003, 02:15:40
Subject: Re: postgreSQL web form; Security

postgreSQL web form; Security - Mailing list pgsql-php

Previous

Next