Andrew Ballard wrote:

You don't need a disassembler; I already said what that string is
intended to do. If it is allowed to run on Microsoft's SQL Server, the
hex value is implicitly converted to the string "WAITFOR DELAY
'00:00:10'", which is then executed. It doesn't require semi-colons,
as SQL Server doesn't need them between statements. This particular
command is relatively harmless by itself. Its value lies in the fact
that if it causes the resulting page to take more than 10 seconds to
load, the attacker knows that your page is wide open to SQL injection
as well as knowing that he can execute anything he wants. If you're
running MySQL, this won't work so you should be unaffected. Just make
sure your code is written to prevent SQL injection and you should be

Would doing all SQL queries via pear mdb2 prepare() and execute() prevent sql injection, or do other sql injection stepps need to take when using pear mdb2?

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to