Re: UPDATE database using parameters

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: UPDATE database using parameters

Peter da Silva
Using a straight PHP-level substitution like that performs the substitution before the SQL parser sees it. It’s also super dangerous if you’re not absolutely sure there’s no path for an untrusted agent to inject the name you’re selecting on.

https://xkcd.com/327/

On 7/21/17, 3:42 AM, "sqlite-users on behalf of Edmondo Borasio" <[hidden email] on behalf of [hidden email]> wrote:

    Hi and thanks for your email.
   
    I am using PHP with SQLite on an Apache server.
    That statement was taken from some advice I got from a forum.  I wasn't
    aware it was MySQL.
    I am new to SQLite and this is my first database.
   
    *"Table/column names cannot use parameters.  You have to put it directly*
    *into the string:"*
   
    I guess however there must be a way, because for example with SELECT it
    works.
    The query below works perfectly using variables:
   
        $results = $db->query("SELECT \"$DbItemName\" FROM Anagrafica WHERE
    hID=\"$hId\"")->fetchArray();
   
    Cheers
   
    Edmondo
   
   
    On Fri, 21 Jul 2017 at 12:24, Clemens Ladisch <[hidden email]> wrote:
   
    > Edmondo Borasio wrote:
    > >     $stmt->bind_param($p_name,$bind_value);
    >
    > This looks like PHP's MySQL driver.  Which DB are you actually using?
    >
    > Anyway, I recommend you start with the examples from the manual, e.g.,
    > <http://php.net/manual/en/sqlite3stmt.bindvalue.php>:
    >
    >   $stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id');
    >   $stmt->bindValue(':id', 1, SQLITE3_INTEGER);
    >   $result = $stmt->execute();
    >
    > > I would also need to take the parameter "name" of "SET name" from a
    > variable
    >
    > Table/column names cannot use parameters.  You have to put it directly
    > into the string:
    >
    >   $sql = "UPDATE Anagrafica SET ".$col." = ..."
    >
    >
    > Regards,
    > Clemens
    > _______________________________________________
    > sqlite-users mailing list
    > [hidden email]
    > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
    >
    _______________________________________________
    sqlite-users mailing list
    [hidden email]
    http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
   

_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: UPDATE database using parameters

Keith Medcalf
On Friday, 21 July, 2017 11:37, Jens Alfke <[hidden email]> wrote:

> But anyone writing software that runs in a web server,
> or that otherwise interacts with untrusted data, has to
> pay attention to basic security practices.

> And a fundamental one is that you don’t run code that
> some untrusted person sent you.

But most people do this all the time.  Just using a web browser has your machine executing god only knows what code generated by god only knows who doing god only knows what to your computer.  Unless you have disabled that, of course.  But that makes the web almost completely unuseable because it is full of stupid sluggard Johhny-cum-lately web designers who pull in third-party crap from god only knows where (since only their victims run it, they do not run it themselves).  There is a very small subset of people who take action against such stupidity.  I used to complain but these people are utter morons with abysmal IQs and do not grok the problem -- so there is not much point in that.  Now I simply refuse to deal with companies that pull such shenanigans and tell them why I will never do business with them.

> Anyone who doesn’t hear alarm bells going off when
> they see code like
> “UPDATE students set name=$FORM_DATA …”
> really shouldn’t be writing this sort of software.

And people who use squirrily quotes should fix their email client ...

> (And it gets worse than this. A major attack on Wordpress
> and other PHP apps about ten years ago, that caused a lot
> of damage worldwide, was triggered by some bozo using PHP’s
> “eval()” function inside an XMLRPC library.)

You don't need to look that far.  I am sure there was at least ten new vulnerabilities discovered yesterday that fall into this category.  And just for WordPress.

—Jens




_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Loading...