Andrew Ballard wrote:
You don't need a disassembler; I already said what that string is intended to do. If it is allowed to run on Microsoft's SQL Server, the hex value is implicitly converted to the string "WAITFOR DELAY '00:00:10'", which is then executed. It doesn't require semi-colons, as SQL Server doesn't need them between statements. This particular command is relatively harmless by itself. Its value lies in the fact that if it causes the resulting page to take more than 10 seconds to load, the attacker knows that your page is wide open to SQL injection as well as knowing that he can execute anything he wants. If you're running MySQL, this won't work so you should be unaffected. Just make sure your code is written to prevent SQL injection and you should be fine.
Would doing all SQL queries via pear mdb2 prepare() and execute() prevent sql injection, or do other sql injection stepps need to take when using pear mdb2?
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
