Hi Robert - >From what you're saying I may not need to do anything besides creating the default error. I'll try that and see what happens with the PCI scans. The scan results sound exactly like the ones you describe. That would great if that's all it takes!
Thanks! -- Steve On 8/22/11, Robert Shubert <rshub...@tronics.com> wrote: > Steve, > > > > Actually, your example there is in correct. > > > > It is inappropriate that the user entered data is changed between what’s > entered and what’s seen in the db. Escaping should be invisible to the data. > > > > In your example below, since Witango/TeraScript automatically wraps the > value in a set of single quotes, the entire value, including the double > quote and semi-colon will be considered text and not part of the SQL > statement. This is 100% safe. Only the presence of an undoubled single-quote > would cause an issue. > > > > I’ll mention one thing that I recently learned. The default error by the > Witango Server is informative. When one of my PCI scans (I have 2 that are > running against my sites) came back with hundreds of SQL injection errors I > determined that they were seeing the error message which looked to contain > parts of their injection attack and they took that as a fault. (arguably > detailed errors can help hackers attack your site). I simply setup a > default error which bounced to the home page and the re-scan came back > clean. > > > > I’m not sure what kind of reporting they do, but if you can learn more about > the specifics of the failure, we might be able to nail it down. But try > setting a default error first and see if that solves everything. > > > > Robert > > > > > > From: Steve Briggs [mailto:st...@wowpages.com] > Sent: Monday, August 22, 2011 9:02 AM > To: Witango-Talk@witango.com > Subject: Re: Witango-Talk: Witango / TeraScript MySQL escape meta tag > > > > Thanks Robert. That's what I'm not sure of. The PCi compliance scans are > saying they are vulnerable to SQL injections, and if I enter something like > this in a form field being inserted by a TAF: > > > > Steve"); UPDATE customers… > > > > then look at the database table, that's exactly what's in there. Shouldn't > it be: > > > > Steve\"); UPDATE customers… > > > > if it is being escaped? I have to admit to a lack of knowledge is this area, > so I apologize if I'm misunderstanding what the PCI compliance outfit is > looking for. I can send you the specific URL's in private if you'd like. > > > > Thanks! > > > > -- Steve > > > > > > > > > > > > > > On Aug 21, 2011, at 2:28 PM, Robert Shubert wrote: > > > > > > Steve, > > > > I’d like to look at your specific situation in more detail. Escaping of > values in SQL statements should be automatically handled by TeraScript > Server. > > > > Robert > > > > From: Steve Briggs [mailto:st...@wowpages.com] > Sent: Sunday, August 21, 2011 11:30 AM > To: Witango-Talk@witango.com > Subject: Witango-Talk: Witango / TeraScript MySQL escape meta tag > > > > I need to convert a bunch of old TAF's for PCI compliance and I'm looking > for the easiest way to escape insert and update statements to avoid SQL > injections. Does anyone have a custom meta tag similar to PHP's > mysql_escape_string? i.e. <@MYSQLESCAPE <@POSTARG first_name>> > > > > Or any other suggestions as to the best way to go about this? > > > > Thanks! > > > > -- Steve > > > > > > > > > > ************************************************** > > Steve Briggs > > Wow Pages > > Portland, Maine > > Longmont, Colorado > > > > 207-761-2450 > > 888-325-5907 > > > > st...@wowpages.com > > > > ************************************************** > > > > > > > > > > > > > > _____ > > To unsubscribe from this list, please send an email to lists...@witango.com > with "unsubscribe witango-talk" in the body. > > > > _____ > > To unsubscribe from this list, please send an email to lists...@witango.com > with "unsubscribe witango-talk" in the body. > > > > ************************************************** > > Steve Briggs > > Wow Pages > > Portland, Maine > > Longmont, Colorado > > > > 207-761-2450 > > 888-325-5907 > > > > st...@wowpages.com > > > > ************************************************** > > > > > > > > > > > > > _____ > > To unsubscribe from this list, please send an email to lists...@witango.com > with "unsubscribe witango-talk" in the body. > > > > ---------------------------------------- > > To unsubscribe from this list, please send an email to lists...@witango.com > with "unsubscribe witango-talk" in the body. > -- ************************************************** Steve Briggs Wow Pages Portland, Maine Houston, Texas 207-761-2450 888-325-5907 st...@wowpages.com ************************************************** ---------------------------------------- To unsubscribe from this list, please send an email to lists...@witango.com with "unsubscribe witango-talk" in the body.
