Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:3907 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81242 invoked from network); 14 Aug 2003 08:04:37 -0000 Received: from unknown (HELO dellserver.guidance.nl) (213.201.153.14) by pb1.pair.com with SMTP; 14 Aug 2003 08:04:37 -0000 Received: by DELLSERVER with Internet Mail Service (5.5.2656.59) id ; Thu, 14 Aug 2003 10:08:08 +0200 Message-ID: <7BE0F4A5D7AED2119B7500A0C94C58AC3D6CCC@DELLSERVER> To: internals@lists.php.net Date: Thu, 14 Aug 2003 10:08:07 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2656.59) Content-Type: text/plain Subject: RE: [PHP-DEV] Re: PHP 4.3.3RC3 Released From: M.Boeren@guidance.nl (Marc Boeren) > that's the point. if the cracker can change only the end of > the query, it's not so usefull for him (he can maximum get other id) How about a form of dos: '...where id = '.$id with $id = '23129 or 1' this will select all entries in the table which could result in DoS... So, ultimately this problem is the coders responsibility. Cheerio, Marc.