On 02/11/06, Earl Lapus <[EMAIL PROTECTED]> wrote:
dili man gyud cya bug sa php or mysql (tingali). di ba naa mani sa
application nga side?
if mag kuha ka ug input sa user then i pasa nimo diretso as an sql query then
ma yabo ang imong db if kabalo mag "injection" ang user. mao ni akong
pag sabot sa article ni joel-on-software-bayot.
On 11/2/06, Richard Badlisan <[EMAIL PROTECTED]> wrote:
>
> from http://www.joelonsoftware.com/items/2006/11/01.html
> What's a SQL Injection Bug?
>
> This item ran on the Joel on Software homepage on Wednesday, November 01,
> 2006
>
> I tried to sign up for an online site.
>
> The signup page wanted a secret question and secret answer. For the secret
> question, I put "what is aunt Vera's cat's color". It complained about the
> apostrophe in the question. OK, fine. I deleted that apostrophe.
>
> For the secret answer, I put "Aunt Vera doesn't have a cat."
>
> And I got this:
>
> 1064: You have an error in your SQL syntax; check the manual that
> corresponds to your MySQL server version for the right syntax to use near 't
> have a cat', 'male')' at line 1
>
> This means that the programmers are in the habit of taking strings that they
> got from the user (i.e. GET or POST parameters) and concatenating them
> together with other bits and pieces of SQL to generate SQL statements.
>
> For example, in PHP with PostgreSQL:
>
> $x = pg_query("select * from accounts where name='" . $_GET["name"] . "'");
>
> (For non-PHP programmers: "." is the string concatenation operator).
>
> I'm not surprised that they are in the habit of doing this; a lot of
> programming books, tutorials, and documentation use examples like this.
>
> Unfortunately it's a gigantic security hole called SQL injection.
>
> The user, if malicious, can close the string that you opened, finish your
> select statement, put in a semicolon (the SQL statement separator), and then
> type any SQL code they want, and it will run.
>
> So, for example, if the user supplies this as name:
>
> foo'; delete * from accounts --
>
> ... the SQL statement executed will be:
>
> select * from accounts where name='foo'; delete * from accounts --'
>
> ... which will do exactly what it looks like: it will delete the entire
> table of accounts.
>
> I have encountered this bug during our php thesis defense last year. Indeed
> it will result to a mysql error. I am not sure but the latest version is now
> aware about this. I have a php page that asks for a username and password. I
> remembered, "how about if I'll input an apostrophe on it, will it crash?"...
> guess what... gi-ignore ra and no error displayed. Gi-treat siya as ordinary
> input string. So I guess, murag wala na ni siya sa mga latest version sa
> php. bale nasolve na ang pagpasa sa string ug di na maconfuse kung query ba
> siya or dili. Di kaayo ko maayo sa php ug mysql kay kamulo pa ko tu-on. IMO,
> sa version siguro na siya gadepende.
> --
> "..nandirito kami ang barkada mong tunay aawit sa'yo. Sa lungkot at ligaya,
> hirap at ginhawa.. kami.. sa kama mo."
>
> »› RICHARD M. BADLISAN
> » http://goma.co.nr
> » [EMAIL PROTECTED]
> » [EMAIL PROTECTED]
> _________________________________________________
> Kagay-Anon Linux Users' Group (KLUG) Mailing List
> [email protected] (http://cdo.linux.org.ph)
> Searchable Archives: http://archives.free.net.ph
>
>
--
There are seven words in this sentence.
_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph
_________________________________________________ Kagay-Anon Linux Users' Group (KLUG) Mailing List [email protected] (http://cdo.linux.org.ph) Searchable Archives: http://archives.free.net.ph
