Re: SQL Injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 15.05.2015 07:21, Karl DeSaulniers wrote:
On May 14, 2015, at 11:11 PM, Onatawahtaw <onatawahtaw@xxxxxxxx> wrote:

Hi Karl,

If you look at the link you provided you'll notice that some of the code is for ASP.net and some is for PHP.

I have looked in the link. Most problems by inject an sql-Code is to add something in the where-clause let it end with a semicolon and add an additional sql-command behind the semicolon. In this case you have two SQL-Command. The first maybe a Select-Command and the next can be to drop a whole table with all its content.

One thing you can do is to trim the Select-Statement and trough all behind a semicolon in addition the semicolon away.

Another securitymethod of mysql that the fieldvarables are capseled by escaping. So mysql get note that this is a variable content for a formfield and should looked like that.

Regards,
Ruprecht

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux