RE: [PHP] SQL security

From: Mike Migurski (mike_at_saturn5.com)
Date: 10/17/03

Next message: John Black: "(ANNOUNCE) codeSECURE 1.0 released - - Protecting PHP code"
Previous message: Chris W. Parker: "RE: [PHP] SQL security"
In reply to: Chris W. Parker: "RE: [PHP] SQL security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Fri, 17 Oct 2003 09:15:25 -0700 (PDT)
To: "Chris W. Parker" <cparker@swatgear.com>

>> If you're using MySQL, you can use mysql_real_escape_string(). If
>> you're using another database, hopefully there is a similar function.
>
>Doesn't MySQL automatically protect against attacks like SQL injection?
>Or maybe it's that it automatically applies addslashes()? I can't
>remember exactly.

No - I don't think any database could automatically protect against SQL
injection, since the basis of that attack is the malformation of queries
before they even hit the DB. There is a magic quotes feature, which adds
slashes to request variable. You may be thinking of that:

<http://php.net/manual/en/ref.info.php#ini.magic-quotes-gpc>

---------------------------------------------------------------------
michal migurski- contact info and pgp key:
sf/ca http://mike.teczno.com/contact.html

Next message: John Black: "(ANNOUNCE) codeSECURE 1.0 released - - Protecting PHP code"
Previous message: Chris W. Parker: "RE: [PHP] SQL security"
In reply to: Chris W. Parker: "RE: [PHP] SQL security"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages

Re: database server audit tools
... This thing was pretty limited last time I looked at it, and had no database audit capabilities. ... this is a nice SQL injection testing tool. ... >Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
(Pen-Test)
Re: MS SQL, find list of tables
... database has it's own sysobjects table. ... > I'd like to use that in order to get login/passwd in the database. ... Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. ... Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! ...
(Pen-Test)
[NT] Multiple Vulnerabilities in ASPRunner
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... pages, users can search, sort, edit, delete and add data into a database. ... attacker to perform SQL Injection and XSS attacks as well as gather ... Every Page is vulnerable to SQL Injection attacks. ...
(Securiteam)
RE: SQL injection from within a table - is it possible?
... "Second order code injection attacks" by Gunter Ollmann ... The document "Advanced SQL Injection In SQL Server Applications" ... > I suppose that if an application was pulling a value from the database ...
(Pen-Test)