« Facebook app statistics | Main | Kicked in the nuts by Facebook »




Doing "12345'; DROP TABLE footprints; --" will do absolutely nothing to your database. PHP/MySQL only executes the first query it encounters.

Try it you will see

Pete Warden

Thanks PatMan! I didn't know that about that feature of PHP's mysql interface, my testing was through the command line. I've updated the article.

That is definitely a handy security feature, and limits the damage an attacker can do. I'm still planning on escaping my user input though, since otherwise I'm still open to plenty of data access exploits.

The comments to this entry are closed.