On 21/06/15 20:14, Mark Murphy wrote:
> But what does your application do when it gets an invalid SQL statement?
> Maybe it is telling the attacker something important about your database so
> that they can compromise it with the appropriate injection.
It just defaults to the first news article in
But what does your application do when it gets an invalid SQL statement?
Maybe it is telling the attacker something important about your database so
that they can compromise it with the appropriate injection.
On 2:36PM, Sun, Jun 21, 2015 Lester Caine wrote:
> On 21/06/15 18:55, Richard wrote:
>
On 21/06/15 18:55, Richard wrote:
>>> OK - this had no chance of success since publish_date_desc is
>>> >> processed using the _desc ( or _asc ) and any invalid data
>>> >> stripped
>>> >>
>>> >>
>>> >> &sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20n
>>> >> ame_const(CHAR(111,10
> Date: Sunday, June 21, 2015 12:39:06 PM -0400
> From: Aziz Saleh
>
> On Sun, Jun 21, 2015 at 9:19 AM, Lester Caine
> wrote:
>
>> OK - this had no chance of success since publish_date_desc is
>> processed using the _desc ( or _asc ) and any invalid data
>> stripped
>>
>>
>> &sort_mode=publi
On Sun, Jun 21, 2015 at 9:19 AM, Lester Caine wrote:
> OK - this had no chance of success since publish_date_desc is processed
> using the _desc ( or _asc ) and any invalid data stripped
>
>
> &sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20name_const(CHAR(111,108,111,108,111,115,
On 16/05/15 14:51, Karl DeSaulniers wrote:
> Interesting. I program in MySQL on a hosting plan by a third party.
> I have heard/read MySQL is not an enterprise solution, but
> for the basic business with say less than 100,000 customers,
> it does the job and well. Larger than that I had hear Postg
On May 16, 2015, at 8:42 AM, Lester Caine wrote:
> On 16/05/15 10:00, Karl DeSaulniers wrote:
>> That does clarify things a bit better on both the @ question
>> and prepared statements. Thank you for the link as well.
>>
>> So new question.. what is the best type of database to use
>> for someon
On 16/05/15 10:00, Karl DeSaulniers wrote:
> That does clarify things a bit better on both the @ question
> and prepared statements. Thank you for the link as well.
>
> So new question.. what is the best type of database to use
> for someone who wants to start small and grow big?
>
> My findings
On May 16, 2015, at 3:51 AM, Lester Caine wrote:
> On 15/05/15 06:21, Karl DeSaulniers wrote:
>> Oh ok. Now it makes a little more sense.
>> I have worked in ASP before, but I am programming in PHP and MySQL at the
>> moment.
>>
>> I am going to look into Prepared Statements. Thanks for your
On 15/05/15 06:21, Karl DeSaulniers wrote:
> Oh ok. Now it makes a little more sense.
> I have worked in ASP before, but I am programming in PHP and MySQL at the
> moment.
>
> I am going to look into Prepared Statements. Thanks for your feedback.
Just to clarify things a little here and explai
-Kevin Waddell
Proverbs 3:5-6
On Fri, 5/15/15, Ruprecht Helms wrote:
Subject: Re: [PHP-DB] SQL Injection
To: php-db@lists.php.net
Date: Friday, May 15, 2015, 10:16 AM
On 15.05.2015 07:21, Karl DeSaulniers wrote:
> On May 14, 2015, at
On 15.05.2015 07:21, Karl DeSaulniers wrote:
On May 14, 2015, at 11:11 PM, Onatawahtaw wrote:
Hi Karl,
If you look at the link you provided you'll notice that some of the code is for
ASP.net and some is for PHP.
I have looked in the link. Most problems by inject an sql-Code is to add
so
On May 14, 2015, at 11:11 PM, Onatawahtaw wrote:
> Hi Karl,
>
> If you look at the link you provided you'll notice that some of the code is
> for ASP.net and some is for PHP. What of the two are you programming in? If
> you are programming in ASP.net you are asking your question to the wrong
Hi Karl,
If you look at the link you provided you'll notice that some of the code is for
ASP.net and some is for PHP. What of the two are you programming in? If you are
programming in ASP.net you are asking your question to the wrong mailing list
as this list is for PHP. If you are programming
On May 14, 2015, at 8:37 PM, Jigme Datse Yli-Rasku
wrote:
> On 15/05/14 18:19 , Karl DeSaulniers wrote:
>> On May 14, 2015, at 8:09 PM, Aziz Saleh wrote:
>>
>>>
>>>
>>> On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers
>>> wrote:
>>> Hello Everyone,
>>> Have a quick question. Was reading s
On 15/05/14 18:19 , Karl DeSaulniers wrote:
On May 14, 2015, at 8:09 PM, Aziz Saleh wrote:
On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers wrote:
Hello Everyone,
Have a quick question. Was reading some material and wanted some Players
perspective.
I know w3schools is not the de-facto on
On May 14, 2015, at 8:09 PM, Aziz Saleh wrote:
>
>
> On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers
> wrote:
> Hello Everyone,
> Have a quick question. Was reading some material and wanted some Players
> perspective.
> I know w3schools is not the de-facto on everything, so I wanted to kno
On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers
wrote:
> Hello Everyone,
> Have a quick question. Was reading some material and wanted some Players
> perspective.
> I know w3schools is not the de-facto on everything, so I wanted to know
> how reliable is the information on this page.
>
> http:/
Estimado veditio,
you wrote:
> I've got a ton of forms that use the $_POST variable to send
> information into the database [...]
> Any suggestions on how to tighten up the form security, or does
> magic_quotes help enough?
I'm not a security expert but after some attacks I have implemented
this
Haha.. what the hell? Ok, I know this is an older copy of the script I wrote
because I know I took out the "All this does is escape the data" comment and I
KNOW I saw the thing about mysql_escape_string() being deprecated... don't
know why it's still in there. Hah
Thanks for pointing that out
NOTE:
http://www.php.net/mysql_escape_string
"Version: 4.3.0
Description: This function became deprecated, do not use this
function. Instead, use mysql_real_escape_string()."
Jordan
On Aug 25, 2005, at 2:15 PM, <[EMAIL PROTECTED]> [EMAIL PROTECTED]> wrote:
Using mysql_escape_string shoul
I'm pretty amateur at this too, but have done a little reading on the subject.
Here's some nuggets to ponder while the real experts write their responses: :)
1. Magic quotes + mysql_escape_string = double escaped stuff. I think the
general opinion is the magic quotes is evil, but I'm sure some
Personally, I always check variables that I'm using in a query. If I'm
expecting eg a session id (32 hex characters) I check that the session id is
a valid one - ie "!$[0-9a-f]{32}$!" (I use ! as delimiter in regexps).
Allthough mysql_escape_string will probably protects me from injections, I
stil
23 matches
Mail list logo
