Re: [Full-disclosure] SQL Injeciton.

From: Gabbar Sing (
Date: 08/20/05

  • Next message: "Re: [Full-disclosure] FrSIRT False Alarm"
    Date: Sat, 20 Aug 2005 01:42:36 -0400
    To: (Jeremy Bishop),

    Thanks I would definitely check on magic_quotes, but the fact is it escapes those characters, so theres no way...its succeptable to sql injection. and ofcourse i am asking this question here means the develper has not done any kind of sanitization checking. So, if SLQ injection is no possible even below given XXS wont be the case i guess,

    '><script>alert('ur hacked')</script>



    Jeremy Bishop <> wrote:

    >On Friday 19 August 2005 20:20, Gabbar Sing wrote:
    >> Hi,
    >> We have an internal web application written in PHP, in which the
    >> developer has got following line.
    >> At first sight I though its very much vulnerible to SQL Injection,
    >> but I am not just able to demonstrate it. As when i send the
    >> character " ' " it just escapes it before sending query to db as " '
    >> " thus failing my injection.
    >PHP has a feature known as magic quotes that can provide automatic
    >escaping of quotes in user-submitted data. I believe the configuration
    >variables to look at are "magic_quotes_gpc" and "magic_quotes_sybase",
    >or some variation on those; the documentation should be more revealing.
    >The developer may also have manually sanitized the data; I assume you
    >have checked for that already? The ideal means of handling input would
    >be to have the code check whether magic quotes are enabled and to take
    >appropriate action based on the result of that check.
    >My group's mission statement - 'You want *what* ? By *WHEN* ?'
    > -- Simon Burr
    >Full-Disclosure - We believe in it.
    >Hosted and sponsored by Secunia -

    Switch to Netscape Internet Service.
    As low as $9.95 a month -- Sign up today at

    Netscape. Just the Net You Need.

    New! Netscape Toolbar for Internet Explorer
    Search from anywhere on the Web and block those annoying pop-ups.
    Download now at
    Full-Disclosure - We believe in it.
    Hosted and sponsored by Secunia -

  • Next message: "Re: [Full-disclosure] FrSIRT False Alarm"

    Relevant Pages

    • Re: may I ask this question?
      ... Sharing of expertise is one thing, but over 10 years both of you have, ... post in the php NG. ... Internet for most people. ... using php and mysql at a very basic ...
    • Re: use/reuse of intranet business dlls by apps
      ... I read through the VB and write the exact logic in PHP. ... We want (OR our internet ... avoid the work of building two apps, one for web and one for intranet. ...
    • Re: Exception list problem in internet explorer in the Local Netwo
      ... But I don't want that the requests to the internal web sites in the local ... network go to the ISA proxy. ... However I never use GPO for proxy settings it is too rigid and does seem to have ... We use the ISA proxy server to go to internet in the local network. ...
    • RE: publish companyweb for external users
      ... site from the internet. ... When you click the internal web site link in the ... This newsgroup only focuses on SBS technical issues. ... you may want to contact Microsoft CSS directly. ...
    • Re: found clues about a security issue in a web server
      ... In the latest week my internet connection was frozen. ... i see this process in my webserver (stored ... That website use php and mysql. ... That security issue happen's by a bad-programmed script code, first of all, ...