Re: SQL injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 21/06/15 20:14, Mark Murphy wrote:
> But what does your application do when it gets an invalid SQL statement?
> Maybe it is telling the attacker something important about your database so
> that they can compromise it with the appropriate injection.

It just defaults to the first news article in this case ... and counts
it as another hit on that article. We have never allowed free text SQL
to be included in any query, and any variable passed via the URL to
provide navigation is only ever passed as a parameter, so even if there
was no filtering of the parameter it would just fail. I'd only expect a
continued 'attack' if the URL was returning something useful so to carry
on just did not make sense ...

-- 
Lester Caine - G8HFL
-----------------------------
Contact - http://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - http://lsces.co.uk
EnquirySolve - http://enquirysolve.com/
Model Engineers Digital Workshop - http://medw.co.uk
Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php




[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]

  Powered by Linux