OK - this had no chance of success since publish_date_desc is processed
using the _desc ( or _asc ) and any invalid data stripped
Date: Sunday, June 21, 2015 12:39:06 PM -0400
From: Aziz Saleh azizsa...@gmail.com
On Sun, Jun 21, 2015 at 9:19 AM, Lester Caine les...@lsces.co.uk
wrote:
OK - this had no chance of success since publish_date_desc is
processed using the _desc ( or _asc ) and any invalid data
stripped
On Sun, Jun 21, 2015 at 9:19 AM, Lester Caine les...@lsces.co.uk wrote:
OK - this had no chance of success since publish_date_desc is processed
using the _desc ( or _asc ) and any invalid data stripped
But what does your application do when it gets an invalid SQL statement?
Maybe it is telling the attacker something important about your database so
that they can compromise it with the appropriate injection.
On 2:36PM, Sun, Jun 21, 2015 Lester Caine les...@lsces.co.uk wrote:
On 21/06/15 18:55,
On 21/06/15 20:14, Mark Murphy wrote:
But what does your application do when it gets an invalid SQL statement?
Maybe it is telling the attacker something important about your database so
that they can compromise it with the appropriate injection.
It just defaults to the first news article in
On 21/06/15 18:55, Richard wrote:
OK - this had no chance of success since publish_date_desc is
processed using the _desc ( or _asc ) and any invalid data
stripped
sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20n
On 16/05/15 10:00, Karl DeSaulniers wrote:
That does clarify things a bit better on both the @ question
and prepared statements. Thank you for the link as well.
So new question.. what is the best type of database to use
for someone who wants to start small and grow big?
My findings led me
On May 16, 2015, at 8:42 AM, Lester Caine les...@lsces.co.uk wrote:
On 16/05/15 10:00, Karl DeSaulniers wrote:
That does clarify things a bit better on both the @ question
and prepared statements. Thank you for the link as well.
So new question.. what is the best type of database to use
On 16/05/15 14:51, Karl DeSaulniers wrote:
Interesting. I program in MySQL on a hosting plan by a third party.
I have heard/read MySQL is not an enterprise solution, but
for the basic business with say less than 100,000 customers,
it does the job and well. Larger than that I had hear Postgres
On 15/05/15 06:21, Karl DeSaulniers wrote:
Oh ok. Now it makes a little more sense.
I have worked in ASP before, but I am programming in PHP and MySQL at the
moment.
I am going to look into Prepared Statements. Thanks for your feedback.
Just to clarify things a little here and explain
On May 16, 2015, at 3:51 AM, Lester Caine les...@lsces.co.uk wrote:
On 15/05/15 06:21, Karl DeSaulniers wrote:
Oh ok. Now it makes a little more sense.
I have worked in ASP before, but I am programming in PHP and MySQL at the
moment.
I am going to look into Prepared Statements. Thanks
On 15.05.2015 07:21, Karl DeSaulniers wrote:
On May 14, 2015, at 11:11 PM, Onatawahtaw onatawah...@yahoo.ca wrote:
Hi Karl,
If you look at the link you provided you'll notice that some of the code is for
ASP.net and some is for PHP.
I have looked in the link. Most problems by inject an
-Kevin Waddell
Proverbs 3:5-6
On Fri, 5/15/15, Ruprecht Helms rhe...@rheynmail.de wrote:
Subject: Re: [PHP-DB] SQL Injection
To: php-db@lists.php.net
Date: Friday, May 15, 2015, 10:16 AM
On 15.05.2015 07:21, Karl DeSaulniers wrote:
On May
Hello Everyone,
Have a quick question. Was reading some material and wanted some Players
perspective.
I know w3schools is not the de-facto on everything, so I wanted to know how
reliable is the information on this page.
http://www.w3schools.com/sql/sql_injection.asp
Namely the @ symbol before
On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers k...@designdrumm.com
wrote:
Hello Everyone,
Have a quick question. Was reading some material and wanted some Players
perspective.
I know w3schools is not the de-facto on everything, so I wanted to know
how reliable is the information on this
On May 14, 2015, at 8:09 PM, Aziz Saleh azizsa...@gmail.com wrote:
On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers k...@designdrumm.com
wrote:
Hello Everyone,
Have a quick question. Was reading some material and wanted some Players
perspective.
I know w3schools is not the de-facto
On 15/05/14 18:19 , Karl DeSaulniers wrote:
On May 14, 2015, at 8:09 PM, Aziz Saleh azizsa...@gmail.com wrote:
On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers k...@designdrumm.com wrote:
Hello Everyone,
Have a quick question. Was reading some material and wanted some Players
perspective.
On May 14, 2015, at 8:37 PM, Jigme Datse Yli-Rasku jigme.da...@gmail.com
wrote:
On 15/05/14 18:19 , Karl DeSaulniers wrote:
On May 14, 2015, at 8:09 PM, Aziz Saleh azizsa...@gmail.com wrote:
On Thu, May 14, 2015 at 9:05 PM, Karl DeSaulniers k...@designdrumm.com
wrote:
Hello Everyone,
On May 14, 2015, at 11:11 PM, Onatawahtaw onatawah...@yahoo.ca wrote:
Hi Karl,
If you look at the link you provided you'll notice that some of the code is
for ASP.net and some is for PHP. What of the two are you programming in? If
you are programming in ASP.net you are asking your
Hi Karl,
If you look at the link you provided you'll notice that some of the code is for
ASP.net and some is for PHP. What of the two are you programming in? If you are
programming in ASP.net you are asking your question to the wrong mailing list
as this list is for PHP. If you are programming
Been a while since I've had a concerted hacker attempt, but over night
this has appeared in the logs.
'sort_mode' = 'last_modified_desc\' and(/**/sElEcT 1
/**/fRoM(/**/sElEcT count(*),/**/cOnCaT((/**/sElEcT(/**/sElEcT
Greetings all:
Using PHP 4.3.xx and MySQL 4.1 (and 3.xxx sometimes).
I've got a ton of forms that use the $_POST variable to send information into
the database, and I'm worried about injection attacks.
My server has magic_quotes enabled, which I thought would handle most things,
but am
I'm pretty amateur at this too, but have done a little reading on the subject.
Here's some nuggets to ponder while the real experts write their responses: :)
1. Magic quotes + mysql_escape_string = double escaped stuff. I think the
general opinion is the magic quotes is evil, but I'm sure
NOTE:
http://www.php.net/mysql_escape_string
Version: 4.3.0
Description: This function became deprecated, do not use this
function. Instead, use mysql_real_escape_string().
Jordan
On Aug 25, 2005, at 2:15 PM, [EMAIL PROTECTED] tg-
[EMAIL PROTECTED] wrote:
Using mysql_escape_string
Haha.. what the hell? Ok, I know this is an older copy of the script I wrote
because I know I took out the All this does is escape the data comment and I
KNOW I saw the thing about mysql_escape_string() being deprecated... don't
know why it's still in there. Hah
Thanks for pointing that out.
Estimado veditio,
you wrote:
I've got a ton of forms that use the $_POST variable to send
information into the database [...]
Any suggestions on how to tighten up the form security, or does
magic_quotes help enough?
I'm not a security expert but after some attacks I have implemented
this
I'm new to PHP and would like to make certain that I have the basic
protection for the site:
Use double quotes to contain variable
Use mysql_escape_string so that query is considered part of the WHERE
clause.
$result=mysql_query('SELECT * FROM users WHERE
Just looking for opinions on sql injection while using prepared statements.
I've read at the oci8 extention that content should not be escaped
---
Do not use magic_quotes_gpc or addslashes() and oci_bind_by_name()
simultaneously as no quoting is needed and any magically applied quotes will
be
28 matches
Mail list logo