Re: [PHP] SQL Injection/Data Balidation
Oops! Sorry! I meant to say "apostrophe" and not "single quotes"... And sorry 'bout this additional post... Regards, - E >Actually, I DID read the articles before I replied. > >If you read it again, the basic problem is not about any "extended >SQLServer functionality"--it's about how ASP works AND how the database >server was configured AND how Window$ works. > >Sorry, but the attacks mentioned CANNOT be done on any of the database >servers that I've used. And with PHP, Apache, Linux combination, they just >don't apply. > >Hey, don't get me wrong. I really appreciate any security info but >personally I don't think they apply here... > >- E > >HINT: PHP doesn't use another "'" (single quote) character to escape >another single quote character--it's just basically stupid to do so. > >HINT 2: Configure your database server to have, for example, (1) a database >username/password that can only SELECT -- enough for dynamically generated >pages (2) a username/password that can only do INSERT or UPDATE, etc. Why >would I make a username/password for my web pages that can delete important >table or the entire database itself? > >> >>If you'll thoroughly read the articles, most of those attacks that don't >>involve the use of extended SQLServer functionality, CAN be done on >>other RDBMS's. And if nothing else, you'll see the ingenuity of the >>attackers. >> >>Hey, take what you liked, and leave the rest lay. >>-- >> >>If You want to buy computer parts, see the reviews at: >>http://www.cnet.com/ >>**OR EVEN BETTER COMPILATIONS**!! >>http://sysopt.earthweb.com/userreviews/products/ > > > > >_ >Charle con sus amigos online usando MSN Messenger: http://messenger.msn.com > > >-- >PHP General Mailing List (http://www.php.net/) >To unsubscribe, visit: http://www.php.net/unsub.php _ Charle con sus amigos online usando MSN Messenger: http://messenger.msn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection/Data Balidation
Actually, I DID read the articles before I replied. If you read it again, the basic problem is not about any "extended SQLServer functionality"--it's about how ASP works AND how the database server was configured AND how Window$ works. Sorry, but the attacks mentioned CANNOT be done on any of the database servers that I've used. And with PHP, Apache, Linux combination, they just don't apply. Hey, don't get me wrong. I really appreciate any security info but personally I don't think they apply here... - E HINT: PHP doesn't use another "'" (single quote) character to escape another single quote character--it's just basically stupid to do so. HINT 2: Configure your database server to have, for example, (1) a database username/password that can only SELECT -- enough for dynamically generated pages (2) a username/password that can only do INSERT or UPDATE, etc. Why would I make a username/password for my web pages that can delete important table or the entire database itself? > >If you'll thoroughly read the articles, most of those attacks that don't >involve the use of extended SQLServer functionality, CAN be done on >other RDBMS's. And if nothing else, you'll see the ingenuity of the >attackers. > >Hey, take what you liked, and leave the rest lay. >-- > >If You want to buy computer parts, see the reviews at: >http://www.cnet.com/ >**OR EVEN BETTER COMPILATIONS**!! >http://sysopt.earthweb.com/userreviews/products/ _ Charle con sus amigos online usando MSN Messenger: http://messenger.msn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection/Data Balidation
I didn't see that, what a waste of paper
Randy
- Original Message -
From: "Edwin @" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Friday, August 16, 2002 1:14 PM
Subject: Re: [PHP] SQL Injection/Data Balidation
> Yeah, I'm scared...
>
> Please excuse me but may I say that it seems like you've sent some wrong
> info to the wrong mailing list?
>
> I use PHP NOT ASP, I use MySQL or PostgreSQL or Oracle but NOT M$ SQL
> Server. And IIS? Of course, some people use it (perhaps) because of some
> unavoidable circumstances but I don't--I use Apache NOT IIS.
>
> Of course, there's nothing bad about being cautious... However, please
send
> some links (or documents) that are more relevant...
>
> Thanks anyway, now *I* have something to scare my friends... ;)
>
> - E
>
> >
> >Please CC me as I'm on digest:
> >--
> >
> >Are there any libraries for data validation available? If one reads
> >papers like these:
> >
> > http://www.nextgenss.com/papers/advanced_sql_injection.pdf
> > http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
> >
> >It becomes apparent that sites using databases are incredibly open to
> >attack because of the ingenuity of the attackers. I think there should
> >be a PHPGuardLib or something. After reading those articles, I plan on
> >filtering ALL input for semi-cololons and 'chr(' character strings. In
> >the cases where I want to accept apostrophes, I'm going to be very
> >careful.
> >
> >Also, are there any attacks to email programs on linux that can be done
> >through input forms?
> >
> >PS, for those who think escaping user input only on apostrophes, THINK
> >AGAIN! And read the aticles above.
> >--
> >
> >If You want to buy computer parts, see the reviews at:
> >http://www.cnet.com/
> >**OR EVEN BETTER COMPILATIONS**!!
> >http://sysopt.earthweb.com/userreviews/products/
> >
> >--
> >PHP General Mailing List (http://www.php.net/)
> >To unsubscribe, visit: http://www.php.net/unsub.php
>
>
>
>
> _
> MSN Hotmail è il provider email più grande al mondo. cosa aspetti a farti
un
> account? http://www.hotmail.it
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] SQL Injection/Data Balidation
Yeah, I'm scared...
Please excuse me but may I say that it seems like you've sent some wrong
info to the wrong mailing list?
I use PHP NOT ASP, I use MySQL or PostgreSQL or Oracle but NOT M$ SQL
Server. And IIS? Of course, some people use it (perhaps) because of some
unavoidable circumstances but I don't--I use Apache NOT IIS.
Of course, there's nothing bad about being cautious... However, please send
some links (or documents) that are more relevant...
Thanks anyway, now *I* have something to scare my friends... ;)
- E
>
>Please CC me as I'm on digest:
>--
>
>Are there any libraries for data validation available? If one reads
>papers like these:
>
> http://www.nextgenss.com/papers/advanced_sql_injection.pdf
> http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
>
>It becomes apparent that sites using databases are incredibly open to
>attack because of the ingenuity of the attackers. I think there should
>be a PHPGuardLib or something. After reading those articles, I plan on
>filtering ALL input for semi-cololons and 'chr(' character strings. In
>the cases where I want to accept apostrophes, I'm going to be very
>careful.
>
>Also, are there any attacks to email programs on linux that can be done
>through input forms?
>
>PS, for those who think escaping user input only on apostrophes, THINK
>AGAIN! And read the aticles above.
>--
>
>If You want to buy computer parts, see the reviews at:
>http://www.cnet.com/
>**OR EVEN BETTER COMPILATIONS**!!
>http://sysopt.earthweb.com/userreviews/products/
>
>--
>PHP General Mailing List (http://www.php.net/)
>To unsubscribe, visit: http://www.php.net/unsub.php
_
MSN Hotmail è il provider email più grande al mondo
cosa aspetti a farti un
account? http://www.hotmail.it
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] SQL Injection/Data Balidation
Please CC me as I'm on digest:
--
Are there any libraries for data validation available? If one reads
papers like these:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf
It becomes apparent that sites using databases are incredibly open to
attack because of the ingenuity of the attackers. I think there should
be a PHPGuardLib or something. After reading those articles, I plan on
filtering ALL input for semi-cololons and 'chr(' character strings. In
the cases where I want to accept apostrophes, I'm going to be very
careful.
Also, are there any attacks to email programs on linux that can be done
through input forms?
PS, for those who think escaping user input only on apostrophes, THINK
AGAIN! And read the aticles above.
--
If You want to buy computer parts, see the reviews at:
http://www.cnet.com/
**OR EVEN BETTER COMPILATIONS**!!
http://sysopt.earthweb.com/userreviews/products/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
