-
INSERT INTO table set var1 = 897897; delete from main
Where the variable is "897897; delete from main'
Or...
INSERT INTO table set var = '897897; delete from main'
the other way to guard against this is to give your webpages only the type of access they need (read/write/dba).
-
Interesting point, but if you're inserting numeric data you would need to validate it on a different layer to make sure it's within bounds etc anyway. With text / varchar etc you would use quotes anyway, so there wouldn't be any risk.
