If you take some paraemter directly from the url without checking it, it is possible that someone writes an url that has a parameter that terminates first the string, then the sql sentence, includes another sql query and comments out rest of the real sql. In this case the malicious user can execute any SQL that they wish. It does not matter what the original sql statement was.

See e.g. en.wikipedia.org/wiki/SQL_injection

I just wanted to warn people not to use your hack because it is not safe, not to argue wether this is a problem or not.

mikko

So the WikiPedia site offers the following to secure from sql injection:

[code:1]$query_result = mysql_query
(
"select * from users where name = '"
.
mysql_real_escape_string($user_name)
.
"'"
);[/code:1]

Is that all I need to do to secure the call as far as you know?

I think so. See fi2.php.net/manual/en/security.database.sql-injection.php

mikko

ok this needs a real explanation....

this code is SAFE because it uses

$params = urldecode(mosGetParam($_GET, "params"));

if he were to use $_GET AND register_globals was on he would have a problem

sql injection is not possible without register globals...AFAIK...especially when using mosgetparam