RE: ASP/PHP SQL Injection
- From: "Daniel Gargallo" <dani@xxxxxxxxxxxxxxxxxxx>
- Date: Thu, 31 Aug 2006 13:42:46 +0200
Hi there,
To eradicate sql attacks there are some solutions, the best one is to code
well ;), here are some tips for php and linux servers:
for php code;
a)limit the number of characters in the variables OR the valid characters
that there can be used.(A-Z,0-9, etc).
b)put addslasesh or magic_quotes
c)create users in db with different privileges and always use the ones that
you need in each moment.
For linux server:
Use mod_security with good filters
Use Scanners to detect vulnerabilities before you launch officially the
site.
This are just some tips, our friends here in the mailing list will have some
more.
Thanks
Daniel Gargallo [Spain]
http://www.daniel-gargallo.com
-----Mensaje original-----
De: coder [mailto:elite.coder@xxxxxxxxxxxx]
Enviado el: miércoles, 30 de agosto de 2006 0:20
Para: security-basics@xxxxxxxxxxxxxxxxx
Asunto: ASP/PHP SQL Injection
Hi all,
I have been reading quite a bit into SQL injections and I just wondered if
my thinking is correct:
If one has the ASP or PHP source code for a site, they would just look for-
(written in a pseudo-ish code as I assume the same principles exist for ASP
and PHP)
$variable = get_value_from_url('variable') // ie blah.asp?variable="hello"
SQL = "SOME SQL" & $variable & "SOME MORE SQL"
or
<executing object (i.e. rs.open)> "SOME SQL" & $variable & "SOME MORE SQL"
When looking for potential SQL Injection attacks, its one of the 2 SQL lines
one would look for... is that correct? And to stop SQL Injection attacks,
one only has to "sanitise" the variable with CLng() in the case of numeric
fields and in the case of alphanumeric fields a built-in PHP/ASP/MySQL
function can be used.
Also, assuming my thinking above is correct, what does one look for when
checking for possible XSS attack?
Thanks for your input,
Davie Elliott
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.405 / Virus Database: 268.11.6/428 - Release Date: 25/08/2006
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
- References:
- ASP/PHP SQL Injection
- From: coder
- ASP/PHP SQL Injection
- Prev by Date: Detecting File Alteration
- Next by Date: Managing Firewalls
- Previous by thread: ASP/PHP SQL Injection
- Next by thread: Re: ASP/PHP SQL Injection
- Index(es):
Relevant Pages
|
|
