On 21/06/15 20:14, Mark Murphy wrote:
> But what does your application do when it gets an invalid SQL statement?
> Maybe it is telling the attacker something important about your database so
> that they can compromise it with the appropriate injection.
It just defaults to the first news article in
But what does your application do when it gets an invalid SQL statement?
Maybe it is telling the attacker something important about your database so
that they can compromise it with the appropriate injection.
On 2:36PM, Sun, Jun 21, 2015 Lester Caine wrote:
> On 21/06/15 18:55, Richard wrote:
>
On 21/06/15 18:55, Richard wrote:
>>> OK - this had no chance of success since publish_date_desc is
>>> >> processed using the _desc ( or _asc ) and any invalid data
>>> >> stripped
>>> >>
>>> >>
>>> >> &sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20n
>>> >> ame_const(CHAR(111,10
> Date: Sunday, June 21, 2015 12:39:06 PM -0400
> From: Aziz Saleh
>
> On Sun, Jun 21, 2015 at 9:19 AM, Lester Caine
> wrote:
>
>> OK - this had no chance of success since publish_date_desc is
>> processed using the _desc ( or _asc ) and any invalid data
>> stripped
>>
>>
>> &sort_mode=publi
On Sun, Jun 21, 2015 at 9:19 AM, Lester Caine wrote:
> OK - this had no chance of success since publish_date_desc is processed
> using the _desc ( or _asc ) and any invalid data stripped
>
>
> &sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,
OK - this had no chance of success since publish_date_desc is processed
using the _desc ( or _asc ) and any invalid data stripped
&sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const(CHAR(111,108,111,108,111,115,104,101,
On 16/05/15 14:51, Karl DeSaulniers wrote:
> Interesting. I program in MySQL on a hosting plan by a third party.
> I have heard/read MySQL is not an enterprise solution, but
> for the basic business with say less than 100,000 customers,
> it does the job and well. Larger than that I had hear Postg
On May 16, 2015, at 8:42 AM, Lester Caine wrote:
> On 16/05/15 10:00, Karl DeSaulniers wrote:
>> That does clarify things a bit better on both the @ question
>> and prepared statements. Thank you for the link as well.
>>
>> So new question.. what is the best type of database to use
>> for someon
On 16/05/15 10:00, Karl DeSaulniers wrote:
> That does clarify things a bit better on both the @ question
> and prepared statements. Thank you for the link as well.
>
> So new question.. what is the best type of database to use
> for someone who wants to start small and grow big?
>
> My findings
On May 16, 2015, at 3:51 AM, Lester Caine wrote:
> On 15/05/15 06:21, Karl DeSaulniers wrote:
>> Oh ok. Now it makes a little more sense.
>> I have worked in ASP before, but I am programming in PHP and MySQL at the
>> moment.
>>
>> I am going to look into Prepared Statements. Thanks for your
On 15/05/15 06:21, Karl DeSaulniers wrote:
> Oh ok. Now it makes a little more sense.
> I have worked in ASP before, but I am programming in PHP and MySQL at the
> moment.
>
> I am going to look into Prepared Statements. Thanks for your feedback.
Just to clarify things a little here and explai
-Kevin Waddell
Proverbs 3:5-6
On Fri, 5/15/15, Ruprecht Helms wrote:
Subject: Re: [PHP-DB] SQL Injection
To: php-db@lists.php.net
Date: Friday, May 15, 2015, 10:16 AM
On 15.05.2015 07:21, Karl DeSaulniers wrote:
> On May 14, 2015, at
On 15.05.2015 07:21, Karl DeSaulniers wrote:
On May 14, 2015, at 11:11 PM, Onatawahtaw wrote:
Hi Karl,
If you look at the link you provided you'll notice that some of the code is for
ASP.net and some is for PHP.
I have looked in the link. Most problems by inject an sql-Code is to add
so
On May 14, 2015, at 11:11 PM, Onatawahtaw wrote:
> Hi Karl,
>
> If you look at the link you provided you'll notice that some of the code is
> for ASP.net and some is for PHP. What of the two are you programming in? If
> you are programming in ASP.net you are asking your question to the wrong
Hi Karl,
If you look at the link you provided you'll notice that some of the code is for
ASP.net and some is for PHP. What of the two are you programming in? If you are
programming in ASP.net you are asking your question to the wrong mailing list
as this list is for PHP. If you are programming
On May 14, 2015, at 8:37 PM, Jigme Datse Yli-Rasku
wrote:
> On 15/05/14 18:19 , Karl DeSaulniers wrote:
>> On May 14, 2015, at 8:09 PM, Aziz Saleh wrote:
>>
>>>
>>>
>>> On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers
>>> wrote:
>>> Hello Everyone,
>>> Have a quick question. Was reading s
On 15/05/14 18:19 , Karl DeSaulniers wrote:
On May 14, 2015, at 8:09 PM, Aziz Saleh wrote:
On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers wrote:
Hello Everyone,
Have a quick question. Was reading some material and wanted some Players
perspective.
I know w3schools is not the de-facto on
On May 14, 2015, at 8:09 PM, Aziz Saleh wrote:
>
>
> On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers
> wrote:
> Hello Everyone,
> Have a quick question. Was reading some material and wanted some Players
> perspective.
> I know w3schools is not the de-facto on everything, so I wanted to kno
On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers
wrote:
> Hello Everyone,
> Have a quick question. Was reading some material and wanted some Players
> perspective.
> I know w3schools is not the de-facto on everything, so I wanted to know
> how reliable is the information on this page.
>
> http:/
Hello Everyone,
Have a quick question. Was reading some material and wanted some Players
perspective.
I know w3schools is not the de-facto on everything, so I wanted to know how
reliable is the information on this page.
http://www.w3schools.com/sql/sql_injection.asp
Namely the @ symbol before S
Been a while since I've had a concerted hacker attempt, but over night
this has appeared in the logs.
'sort_mode' => 'last_modified_desc\' and(/**/sElEcT 1
/**/fRoM(/**/sElEcT count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT
/**/uNhEx(/**/hEx(/**/cOnCaT(0x217e21,0x4142433134355a5136324457514146504f49594
Estimado veditio,
you wrote:
> I've got a ton of forms that use the $_POST variable to send
> information into the database [...]
> Any suggestions on how to tighten up the form security, or does
> magic_quotes help enough?
I'm not a security expert but after some attacks I have implemented
this
Haha.. what the hell? Ok, I know this is an older copy of the script I wrote
because I know I took out the "All this does is escape the data" comment and I
KNOW I saw the thing about mysql_escape_string() being deprecated... don't
know why it's still in there. Hah
Thanks for pointing that out
NOTE:
http://www.php.net/mysql_escape_string
"Version: 4.3.0
Description: This function became deprecated, do not use this
function. Instead, use mysql_real_escape_string()."
Jordan
On Aug 25, 2005, at 2:15 PM, <[EMAIL PROTECTED]> [EMAIL PROTECTED]> wrote:
Using mysql_escape_string shoul
I'm pretty amateur at this too, but have done a little reading on the subject.
Here's some nuggets to ponder while the real experts write their responses: :)
1. Magic quotes + mysql_escape_string = double escaped stuff. I think the
general opinion is the magic quotes is evil, but I'm sure some
Greetings all:
Using PHP 4.3.xx and MySQL 4.1 (and 3.xxx sometimes).
I've got a ton of forms that use the $_POST variable to send information into
the database, and I'm worried about injection attacks.
My server has magic_quotes enabled, which I thought would handle most things,
but am wonderi
e from injections, I
still verify the data.
Jos
-Original Message-
From: mayo [mailto:[EMAIL PROTECTED]
Sent: 16 May 2005 23:55
To: php-db@lists.php.net
Subject: [PHP-DB] sql injection attack, protection from
I'm new to PHP and would like to make certain that I have the basic
prote
I'm new to PHP and would like to make certain that I have the basic
protection for the site:
Use double quotes to contain variable
Use mysql_escape_string so that query is considered part of the WHERE
clause.
$result=mysql_query('SELECT * FROM users WHERE
username="'.mysql_escape_string($_GET['
Just looking for opinions on sql injection while using prepared statements.
I've read at the oci8 extention that content should not be "escaped"
---
Do not use magic_quotes_gpc or addslashes() and oci_bind_by_name()
simultaneously as no quoting is needed and any magically applied quotes will
be
29 matches
Mail list logo
