At 09:07 AM 09-04-2001 +0900, Yasuo Ohgaki wrote:
>If PQexec() makes sure "multiple sql statements query", passed to it, is
>executed atomically, I would like to take advantage of it.
If you want stuff done reasonably atomically you use transactions. Which
implementation actually does the statements atomically if you do what you
suggest?
I don't see much to be gained. I see more to be lost in terms of security.
If you don't allow multiple SQL statements per query, it minimizes the
damage if someone screws up security on their website.
There are a LOT of websites out there which pass cgi parameters directly to
the database without any quoting or filtering.
If multiple SQL statements were supported, they'd probably be in a more
serious position: drop database, drop table, etc.
When I checked some time back some PHP + MySQL scripts allowed multiple SQL
statements per query - just stick a semicolon in somewhere, and you can do
ANY arbitrary SQL you want.
for example:
select * from mytable where field='$cgiparam'
Someone just has to make sure $cgiparam is
1';drop table blah; select '1
And then you're screwed. Of course you aren't supposed to write apps that
way, but anyone want to tell the masses out there?
Cheerio,
Link.
