Re: PHP and secure MySQL injections

From: Chris Hope (chris_at_electrictoolbox.com)
Date: 05/26/04

• Next message: fbionyourtail: "PHP Dating Script"
• Previous message: Matthew Sims: "Re: PHP and secure MySQL injections"
• In reply to: Chris Hope: "Re: PHP and secure MySQL injections"
• Next in thread: Matthew Sims: "Re: PHP and secure MySQL injections"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Date: Wed, 26 May 2004 14:21:00 +1200

Chris Hope wrote:

> Geoff Berrow wrote:
>
>> I noticed that Message-ID: <1085522841_319@news.athenanews.com> from
>> Chris Hope contained the following:
>>
>>>You don't need to test for semi-colons as long as you are ensuring the
>>>type of data is really what it should be and that quotes in strings are
>>>slashed to prevent the hacker passing something like '; delete from '
>>
>> I don't think My SQL will do that anyway.
>
> It will. I did it in a testing environment a couple of years back by
> passing in the GET string a character string when an integer was expected.
> This caused a database error and the error message was displayed on the
> page. I then used what was in the error message (which contained the full
> sql string - and yes, this does happen in live sites) to construct a valid
> end to the expected query and then added a delete query with the
> semi-colon. Voila, all data in the table deleted.

I'll just correct myself there, as I just ran another test for semi-colons
in MySQL... in 4.0.x you do not appear to be able to run multiple queries
separated by semi-colons (although another post indicates this may be the
case in 4.1).

I think the test I did must have been against PostgreSQL and not MySQL.

-- 
Chris Hope
The Electric Toolbox - http://www.electrictoolbox.com/

---

• Next message: fbionyourtail: "PHP Dating Script"
• Previous message: Matthew Sims: "Re: PHP and secure MySQL injections"
• In reply to: Chris Hope: "Re: PHP and secure MySQL injections"
• Next in thread: Matthew Sims: "Re: PHP and secure MySQL injections"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

Relevant Pages Re: Error 3163 Couldnt Insert or Paste; Data Too Long for Field ... Could you please open your query in SQL View and copy and paste the code ... Chris ... > getting this error message. ... (microsoft.public.access.queries) Re: SQL Timeout Error ... "Robert Lakinski" wrote: ... but you can access data in Sql server via MS ... I don't know why I got the error message. ... (microsoft.public.sqlserver.server) Re: Multilingual versions of SQL Express 2005 available ? Where ? ... The error code alone is not sufficient. ... error code which is represented in the parameters used to format the SQL ... language is used. ... > we may consider provide localized error message according to the error ... (microsoft.public.sqlserver.setup) Re: cannot convert between unicode and non-unicode data types ... product can't actually produce a meaningful error message. ... oracle and the sql database. ... Tried dumping to a raw file but the output is still unicode when I try to ... (microsoft.public.sqlserver.dts) Re: Access Crashes with CONTAINS in ServerFilter ... Event Source: Microsoft Office 10 ... see Help and Support Center at ... Running the SQL in Query Analyzer produces correct results. ... We sometimes receive an error message saying "Invalid SQL statement. ... (microsoft.public.access.formscoding)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)