[ic] sql query with UNION broken
Mike Heins
mike at perusion.com
Fri Aug 22 14:11:32 EDT 2003
Quoting Jon Jensen (jon at endpoint.com):
> On Fri, 22 Aug 2003, Mike Heins wrote:
>
> > > I suggest a minor correction to your second proposal, as follows:
> > >
> > > $update = 1 if $query !~ /^[\s\W]*select\s+/i;
> > >
> > > That would allow multiple opening parentheses (with or without
> > > whitespace between) before the SELECT.
> >
> > Since whitespace is \W, we can simplify to \W*.
>
> That's right! So that makes it a one-character patch. I just committed it.
>
We should probably think about security implications of this -- I am not
sure (SELECT ...) is standard ANSI SQL, and I am not enough of a SQL guru
to authoritatively speak to it.
--
Mike Heins
Perusion -- Expert Interchange Consulting http://www.perusion.com/
phone +1.513.523.7621 <mike at perusion.com>
Nature, to be commanded, must be obeyed. -- Francis Bacon
More information about the interchange-users
mailing list