I saw this in an online article:
" mysql_db_query ($DB, "SELECT something FROM table WHERE name=$username"); In this example, the user can use a semicolon in the input to end the current query and supply arbitrary commands to the database. The input ";drop db database" will expand to the query string "SELECT something FROM table WHERE name=;drop db database", which will result in an error (because the first part of the query is now invalid) followed by a successful drop of the entire database. "
This doesn't work on my computer (php4.3.1, mysql3.23, magic_quote_gpc=off). It just told me "you have an error in your sql syntax".
Can anybody tell me why?
Thanks
A question about php security
Moderator: General Moderators
I think you have to make a whole new query and do-
Code: Select all
DROP DATABASE `dbName`;