Penetration Testing mailing list archives

Re: PHP and MySQL

From: Josh Zlatin-Amishav <josh () tkos co il>
Date: Thu, 19 Jan 2006 11:15:12 +0200 (IST)

On Wed, 18 Jan 2006, John Madden wrote:

Hi,

I'm pentesting a web site and i get the following
error message while using a single quote: ex.
/confirm.php?conf='test123

Warning: mysql_fetch_row(): supplied argument is not a
valid MySQL result resource in /xx/xx/confirm.php on
line 5


[...snip]


And how do we fix this vulnerability ? Besides the PHP
code itself (sanitize user input), is it a PHP setting
(php.ini) ?


You might also want to set display_errors = Off in php.ini.

--
 - Josh

------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers arefutile against web application hacking. Check your website for vulnerabilitiesto SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at:


http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

PHP and MySQL John Madden (Jan 18)
- Re: PHP and MySQL AdamT (Jan 19)
- Re: PHP and MySQL Josh Zlatin-Amishav (Jan 19)
- <Possible follow-ups>
- RE: PHP and MySQL Derick Anderson (Jan 19)
- Re: PHP and MySQL dork (Jan 20)
  - Re: PHP and MySQL Edy (Jan 23)