note
roboticus
<p>[dnamonk]:</p>
<p>If you're not using placeholders for your database code, then perhaps you've got a field with an embedded apostrophe in it. For example:</p>
<c>
my $t = "Bobby Tables' and HeadName=1; drop table mytable;";
my $SQL = "select * from mytable where id='$t'";
print $SQL, "\n";
</c>
<p>If you expand the resulting SQL and reformat it, you'll see that it's rather fortunate that HeadName isn't a column in your table!</p>
<c>
select * from mytable
where id='Bobby Tables'
and HeadName=1;
drop table mytable;
</c>
<p>...[roboticus]</p>
<p><i>When your only tool is a hammer, all problems look like your thumb.</i></p>
998469
998469