Vulnerability Development mailing list archives
Re: sql injection and php
From: "Sverre H. Huseby" <shh () thathost com>
Date: Wed, 29 May 2002 12:02:13 +0200
[Jacek Lach] | Does the magic_quotes in php's configuration resolves the problem of sql | injection? No. | Is this technique still a risk when the option is enabled? Yes. | Most documentation I found was presenting ASP examples, but simple | entering ' character doesn't work when this option is enabled | (which is set in default configuration). You can do much damage without using the quote character: http://example.com/show.php?id=3;+DELETE+FROM+Customer Make the server work: Imagine a database with millions of entries, from which one normally only see one at a time: http://example.com/show.php?id=3+OR+TRUE And I guess there is much more that can be done by creative intruders. As always. Sverre. -- shh () thathost com Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
Current thread:
- sql injection and php Jacek Lach (May 28)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Greg Hunt (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Greg Hunt (May 29)
- Re: sql injection and php Florian Weimer (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Jacek Lach (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Lincoln Yeoh (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)