Ahh, just looked again. That must be those magic quotes. I also grabbed that "cat" for a title of the page and I see what I entered now has backslashes in it...
Levi (: On 6/15/06, Levi Smith <[EMAIL PROTECTED]> wrote:
Woohoo! As long as I'm just looking for obvious text on the page then it didn't work. Levi On 6/15/06, Michael O'Keefe < [EMAIL PROTECTED]> wrote: > > > Does anyone know of a good straightforward page of "try this, then > this" > > for > > testing for a sql injection flaw? > > Preferably one that deals with an openBSD/MySQL, PHP backend? > > The easiest way is to put a ';drop database *;' in your input > > This will be translated into ... > > SELECT * > FROM item_categories > WHERE item_categories.item_category = '';drop database *;'' > AND item.long_item_id = item_categories.long_item_id > > You're typical fault injector won't care that the last part is invalid > SQL, so long as the drop database * gets done ! > > -- > Michael O'Keefe | [EMAIL PROTECTED] > Live on and Ride a 03 BMW F650GSDakar| [EMAIL PROTECTED] / | > I like less more or less less than |Work:+1 858 845 3514 / | > more. UNIX-live it,love it,fork() it |Fax :+1 858 845 2652 /_p_| > My views are MINE ALONE, blah, blah, |Home:+1 760 788 1296 \`O'| > blah, yackety yack - don't come back |Fax :+1 858 _/_\|_, > > > -- > [email protected] > http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list >
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
