Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Beginner questions regarding PHP and MySQL Injection

From: zero9zero () gmail com
Date: Thu, 29 Jul 2010 15:33:40 +0000
Well sql injection doesn't have to be in a lnput validation.. Usually they inject it through the url too...
A simple way to prevent sql injection is to filter out character like single quote, doubles, slash, backslash, semi 
colon, extended character and etc, in all strings from input, url parameter, and values from cookie.. 
Try to googling more cause there's a ton paper to read. 

Have fun,
Burhan M.
Sent from my BlackBerry®
powered by Sinyal Kuat INDOSAT

-----Original Message-----
From: James Bensley <jwbensley () gmail com>
Sender: listbounce () securityfocus com
Date: Wed, 28 Jul 2010 23:18:12 
To: security-basics<security-basics () securityfocus com>
Subject: Beginner questions regarding PHP and MySQL Injection

List of great knowledge...

I have set my self up a test lab some some PHP excersies; it seems the
infamous ' or 1=1 -- is way to easy to exploit; I can only get it to
work if I give it a stupidly oversized helping hand :D

(i.e. php magic quotes is turn off and no input validation of any sort
is being performed)

As soon as I start using as a minimum stringslashes() and
mysql_real_esacpe_string() and/or turn magic quotes on, I can no
longer escape the PHP code that builds the MySQL query to perform an
injection

Does anyone have any pointers, advice, good reading etc they can link
that can explain how I can escape these methods? Or perhaps a better
way of trying to implement my SQL injection?

-- 
Regards,
James.

http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand
Vigesimal, and J others...?

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: