Can you demonstrate a URL/attack that would constitute an injection attack that would get around magic-quotes, or provide some links to such? Alex On 10/31/05, MaXX <bs139412@xxxxxxxxx> wrote: > Hi, > > Yonatan Ben-Nes wrote: > > Hi all, > > > > I'm currently trying to build a defence against SQL INJECTION, after > > reading some material on it I arrived to few possible solutions and I > > would like to know if anyone can comment anything about them or maybe > > add a solution of its own: > [...] > > If you're running PHP on an Apache server check mod_security, you'll have to > tune a little bit it's default ruleset, but it does a great job for me. It > will not protect you against tricks like 'chr(39)' (single quote) or > funnier 'cH%52(123-84)' unless you write specific rules. It inspect both > GET an POST payloads, performs unescaping and lots of other cool things > (protection agains shell command injection)... > Be warned, it has some side effects, as it will kick you off if you try to > publish SQL code on your site even if your code isn't malicious or > sentences that may look like sql (delete from something)... > > As suggested, parameters validation is required, regexps are great for this > job and are easy to learn (do it you'll see). Do the validation in your PHP > before sending the query to your server (do not rely only on checking > inside stored procedures as the injection can take place before the actual > checking) > > HTH, > -- > MaXX > > ---------------------------(end of broadcast)--------------------------- > TIP 5: don't forget to increase your free space map settings > ---------------------------(end of broadcast)--------------------------- TIP 6: explain analyze is your friend
