subject:"Re\: \[PHP\] SQL Injection\/Data Balidation"

Re: [PHP] SQL Injection/Data Balidation

2002-08-16 Thread Edwin @


Yeah, I'm scared...

Please excuse me but may I say that it seems like you've sent some wrong 
info to the wrong mailing list?

I use PHP NOT ASP, I use MySQL or PostgreSQL or Oracle but NOT M$ SQL 
Server. And IIS? Of course, some people use it (perhaps) because of some 
unavoidable circumstances but I don't--I use Apache NOT IIS.

Of course, there's nothing bad about being cautious... However, please send 
some links (or documents) that are more relevant...

Thanks anyway, now *I* have something to scare my friends... ;)

- E


Please CC me as I'm on digest:
--

Are there any libraries for data validation available? If one reads
papers like these:

   http://www.nextgenss.com/papers/advanced_sql_injection.pdf
   http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

It becomes apparent that sites using databases are incredibly open to
attack because of the ingenuity of the attackers. I think there should
be a PHPGuardLib or something. After reading those articles, I plan on
filtering ALL input for semi-cololons and 'chr(' character strings. In
the cases where I want to accept apostrophes, I'm going to be very
careful.

Also, are there any attacks to email programs on linux that can be done
through input forms?

PS, for those who think escaping user input only on apostrophes, THINK
AGAIN! And read the aticles above.
--

If You want to buy computer parts, see the reviews at:
http://www.cnet.com/
**OR EVEN BETTER COMPILATIONS**!!
http://sysopt.earthweb.com/userreviews/products/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




_
MSN Hotmail è il provider email più grande al mondo cosa aspetti a farti un 
account? http://www.hotmail.it


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SQL Injection/Data Balidation

2002-08-16 Thread Randy Johnson

I didn't see that, what a waste of paper

Randy
- Original Message -
From: Edwin @ [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Friday, August 16, 2002 1:14 PM
Subject: Re: [PHP] SQL Injection/Data Balidation

 Yeah, I'm scared...

 Please excuse me but may I say that it seems like you've sent some wrong
 info to the wrong mailing list?

 I use PHP NOT ASP, I use MySQL or PostgreSQL or Oracle but NOT M$ SQL
 Server. And IIS? Of course, some people use it (perhaps) because of some
 unavoidable circumstances but I don't--I use Apache NOT IIS.

 Of course, there's nothing bad about being cautious... However, please
send
 some links (or documents) that are more relevant...

 Thanks anyway, now *I* have something to scare my friends... ;)

 - E

 Please CC me as I'm on digest:
 --

 Are there any libraries for data validation available? If one reads
 papers like these:

  http://www.nextgenss.com/papers/advanced_sql_injection.pdf
  http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

 It becomes apparent that sites using databases are incredibly open to
 attack because of the ingenuity of the attackers. I think there should
 be a PHPGuardLib or something. After reading those articles, I plan on
 filtering ALL input for semi-cololons and 'chr(' character strings. In
 the cases where I want to accept apostrophes, I'm going to be very
 careful.

 Also, are there any attacks to email programs on linux that can be done
 through input forms?

 PS, for those who think escaping user input only on apostrophes, THINK
 AGAIN! And read the aticles above.
 --

 If You want to buy computer parts, see the reviews at:
 http://www.cnet.com/
 **OR EVEN BETTER COMPILATIONS**!!
 http://sysopt.earthweb.com/userreviews/products/

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php

 _
 MSN Hotmail è il provider email più grande al mondo. cosa aspetti a farti
un
 account? http://www.hotmail.it

 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SQL Injection/Data Balidation

2002-08-16 Thread Edwin @


Actually, I DID read the articles before I replied.

If you read it again, the basic problem is not about any extended SQLServer 
functionality--it's about how ASP works AND how the database server was 
configured AND how Window$ works.

Sorry, but the attacks mentioned CANNOT be done on any of the database 
servers that I've used. And with PHP, Apache, Linux combination, they just 
don't apply.

Hey, don't get me wrong. I really appreciate any security info but 
personally I don't think they apply here...

- E

HINT: PHP doesn't use another ' (single quote) character to escape another 
single quote character--it's just basically stupid to do so.

HINT 2: Configure your database server to have, for example, (1) a database 
username/password that can only SELECT -- enough for dynamically generated 
pages (2) a username/password that can only do INSERT or UPDATE, etc. Why 
would I make a username/password for my web pages that can delete important 
table or the entire database itself?


If you'll thoroughly read the articles, most of those attacks that don't
involve the use of extended SQLServer functionality, CAN be done on
other RDBMS's. And if nothing else, you'll see the ingenuity of the
attackers.

Hey, take what you liked, and leave the rest lay.
--

If You want to buy computer parts, see the reviews at:
http://www.cnet.com/
**OR EVEN BETTER COMPILATIONS**!!
http://sysopt.earthweb.com/userreviews/products/




_
Charle con sus amigos online usando MSN Messenger: http://messenger.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SQL Injection/Data Balidation

2002-08-16 Thread Edwin @


Oops! Sorry! I meant to say apostrophe and not single quotes...

And sorry 'bout this additional post...

Regards,

- E

Actually, I DID read the articles before I replied.

If you read it again, the basic problem is not about any extended 
SQLServer functionality--it's about how ASP works AND how the database 
server was configured AND how Window$ works.

Sorry, but the attacks mentioned CANNOT be done on any of the database 
servers that I've used. And with PHP, Apache, Linux combination, they just 
don't apply.

Hey, don't get me wrong. I really appreciate any security info but 
personally I don't think they apply here...

- E

HINT: PHP doesn't use another ' (single quote) character to escape 
another single quote character--it's just basically stupid to do so.

HINT 2: Configure your database server to have, for example, (1) a database 
username/password that can only SELECT -- enough for dynamically generated 
pages (2) a username/password that can only do INSERT or UPDATE, etc. Why 
would I make a username/password for my web pages that can delete important 
table or the entire database itself?


If you'll thoroughly read the articles, most of those attacks that don't
involve the use of extended SQLServer functionality, CAN be done on
other RDBMS's. And if nothing else, you'll see the ingenuity of the
attackers.

Hey, take what you liked, and leave the rest lay.
--

If You want to buy computer parts, see the reviews at:
http://www.cnet.com/
**OR EVEN BETTER COMPILATIONS**!!
http://sysopt.earthweb.com/userreviews/products/




_
Charle con sus amigos online usando MSN Messenger: http://messenger.msn.com


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




_
Charle con sus amigos online usando MSN Messenger: http://messenger.msn.com


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] SQL Injection/Data Balidation

Re: [PHP] SQL Injection/Data Balidation

Re: [PHP] SQL Injection/Data Balidation

Re: [PHP] SQL Injection/Data Balidation

4 matches

Site Navigation

Mail list logo

Footer information