Re: Paper of insecure in PHP... and doubt in SQL-Injection

["Kevin Spett" <kspett () spidynamics com>]

The best paper on PHP security in general that I've seen is _A Study In
Scarlet_ (http://www.securereality.com.au/studyinscarlet.txt)

For general SQL injection instruction, I recommend my paper
(http://www.spidynamics.com/whitepapers/WhitepaperSQLInjection.pdf) and the
NGS paper written by Chris Anley
(www.nextgenss.com/papers/advanced_sql_injection.pdf ).

I think the requested properties error message indicates that the database
driver does not know how to handle the kind of result that the database
server returned.  This can be a problem when mixing driver and database
server vendors.  I don't know how to get around it offhand.  Perhaps someone
with more ADO experience can offer some ideas or clarifications.


Kevin Spett
SPI Labs
http://www.spidynamics.com/


----- Original Message -----
From: <sekure () hadrion com br>
To: <webappsec () securityfocus com>
Sent: Thursday, February 20, 2003 8:52 AM
Subject: Paper of insecure in PHP... and doubt in SQL-Injection


> Hi,
>
> I'm searching a good paper or collection of papers that describe
> problems of PHP with real examples and eploitations. Like
> SQL-Injection, danger funcionts, buffer overflow, ...
>
> ps.: I want read, understand and test it. hehehe :)
>
> Where find this papers ??
>
> Someone have links that i can access ? :)
>
> A little doubt about SQL-Injections... Why some sites and Visual Basic
> applications gave-me this error when i try a SQL-Injection in it:
>
> Microsoft OLE DB Provider for ODBC Drivers error '80040e21'
>
> ODBC driver does not support the requested properties.
>
> /procura_resp.asp, line 121
>
>
> This error was caused by insert a ' or '1 under a search form. :)
>
> Why ?? A different provider ?? Security checks ?? How to bypass this
> problem of provider ??
>
> Thkz a lot.
>
> Best Regards.
>
> [ ]'s