WebApp Sec mailing list archives
RE: Blind SQL Injection / Stored procedures
From: "LAROUCHE Francois" <Francois.Larouche () accorservices com>
Date: Fri, 18 Nov 2005 11:55:00 +0100
Hi phillip, The first thing I can tell on PHP since I don't much about it, is the use of the magic quotes option. You should find valuable information on this topic on google. However you have to know that there are some problems with it. Read it carefully. Now the problem with PHP is that under the version 5 (not sure at 100%) there is nothing that prevents SQL injection since the SQL is inline in the code. Even with magic quotes it's dangerous since you can achieve SQL injection without a single quote (when there is an integer argument for instance). There is another option that I found was a database abstraction layer package made by PEAR, it works on PHP 4 and 5 and should be free (pear.php.net/package/DB). Now I don't know if it's a good product or not, or really secure but you can always try. I just know they use their own prepared statement and quote stripping. Good luck! François Larouche P.S. It's not a good idea to talk openly of your architecture on the net, not all people in this list are pure of heart :) Nasa is a attractive place... ______________________________________________________________________________________________________________________________ This email, the information contained within and any files transmitted with it (herein after referred as "the message") are confidential. It is intended solely for the addressees and access to this message by any other person is not permitted. If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized disclosure, publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is strictly prohibited. Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for this message if modified or falsified.
Current thread:
- Blind SQL Injection / Stored procedures Andres Molinetti (Nov 15)
- Re: Blind SQL Injection / Stored procedures Adam Tuliper (Nov 15)
- Re: Blind SQL Injection / Stored procedures Laramies (Nov 16)
- RE: Blind SQL Injection / Stored procedures Victor Chapela (Nov 18)
- <Possible follow-ups>
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 16)
- RE: Blind SQL Injection / Stored procedures Andres Molinetti (Nov 16)
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 17)
- Re: Blind SQL Injection / Stored procedures Phillip Powell (Nov 17)
- RE: Blind SQL Injection / Stored procedures Evans, Arian (Nov 17)
- Re: [WEB SECURITY] RE: Blind SQL Injection / Stored procedures Frederic Charpentier (Nov 17)
- RE: Blind SQL Injection / Stored procedures LAROUCHE Francois (Nov 18)
- Re: Blind SQL Injection / Stored procedures ascii (Nov 18)