Security Basics mailing list archives
Re: Beginner questions regarding PHP and MySQL Injection
From: zero9zero () gmail com
Date: Thu, 29 Jul 2010 15:33:40 +0000
Well sql injection doesn't have to be in a lnput validation.. Usually they inject it through the url too... A simple way to prevent sql injection is to filter out character like single quote, doubles, slash, backslash, semi colon, extended character and etc, in all strings from input, url parameter, and values from cookie.. Try to googling more cause there's a ton paper to read. Have fun, Burhan M. Sent from my BlackBerry® powered by Sinyal Kuat INDOSAT -----Original Message----- From: James Bensley <jwbensley () gmail com> Sender: listbounce () securityfocus com Date: Wed, 28 Jul 2010 23:18:12 To: security-basics<security-basics () securityfocus com> Subject: Beginner questions regarding PHP and MySQL Injection List of great knowledge... I have set my self up a test lab some some PHP excersies; it seems the infamous ' or 1=1 -- is way to easy to exploit; I can only get it to work if I give it a stupidly oversized helping hand :D (i.e. php magic quotes is turn off and no input validation of any sort is being performed) As soon as I start using as a minimum stringslashes() and mysql_real_esacpe_string() and/or turn magic quotes on, I can no longer escape the PHP code that builds the MySQL query to perform an injection Does anyone have any pointers, advice, good reading etc they can link that can explain how I can escape these methods? Or perhaps a better way of trying to implement my SQL injection? -- Regards, James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...? ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Beginner questions regarding PHP and MySQL Injection James Bensley (Jul 29)
- Re: Beginner questions regarding PHP and MySQL Injection zero9zero (Jul 29)