I was just wondering, why isn't php injection a danger like SQL injection is?
We all know, if you put in a line like
Code: Select all
$query=mysql_query("SELECT * FROM list WHERE name='".$_GET["name"]."'");'; DELETE FROM list
as the "name"
But what I'm wondering is, why are SQL query strings the only place where this security issue comes up?
In the above example, what if someone sent the following name variable:
'"); unlink("index.php
Why wouldn't that also screw you up?