Re: [RFC] is_literal()

This is only part of a thread. view whole thread
  109218
March 23, 2020 00:04 mike@newclarity.net (Mike Schinkel)
> On Mar 22, 2020, at 7:14 PM, Craig Francis <craig@craigfrancis.co.uk> wrote: > > On Sun, 22 Mar 2020 at 19:11, Mike Schinkel <mike@newclarity.net> wrote: >> [...] hash out potential solutions on the list rather than propose a specific one in advance. > > As to your idea of a "safe" MySQL class, fortunately mysqli already stops multiple queries, so a SELECT cannot have an UPDATE/DELETE/TRUNCATE appended on to the end, but it can still do things like UNION another SELECT query, so the original query returns nothing, then the attackers query gets appended, potentially allowing them to extract everything from the database.
To follow up, a "safe" MySQL class *could* disallow UNION then, no? In addition, it could possible have flags for every type of query and require you set on only the aspects you need. Unions, Updates, Deletes, Truncates, Joins, Where, etc. much like firewalls start will all ports closed. Just spitballing, anyway. -Mike