dili man tingali ana ang meaning sa "bug" diha sa title..
dili cya bug sa underlying applications but a bug of the system that
makes use
of these applications..
bug cya sa katong web application or katong website...
hence, the title "sql injection bug"...
dili pasabot na "there's a bug in sql"... it simply means "there's a
[sql injection] bug
in ur software/website/app"..
almost all (iF not all) sql-injections bugs can be simplified down and
written off as "input-parsing bugs"
daghan ani during the CGI days..and hatud karon naa pa gihapon ang mga
websites na vulnerable to "injection"-style na
hacks..
pwede pa gani "equality expressions" sa mga password and name fields,
for example:
ang algo for checking if a particular username exists in a database,
gina-ihap lang ang result sets or rows retrieved.. so kung greater than
0 meaning okay na...
so pwede ra mo butang dayun sa input field ug [ '' or 1=1 ]
so pag evaluate sa server logic ug [select username from usertable where
username='' or 1=1]
naa gyud result pirme :(
Earl Lapus wrote:
dili man gyud cya bug sa php or mysql (tingali). di ba naa mani sa
application nga side?
if mag kuha ka ug input sa user then i pasa nimo diretso as an sql
query then
ma yabo ang imong db if kabalo mag "injection" ang user. mao ni akong
pag sabot sa article ni joel-on-software-bayot.
On 11/2/06, Richard Badlisan <[EMAIL PROTECTED]> wrote:
from http://www.joelonsoftware.com/items/2006/11/01.html
What's a SQL Injection Bug?
This item ran on the Joel on Software homepage on Wednesday, November
01,
2006
I tried to sign up for an online site.
The signup page wanted a secret question and secret answer. For the
secret
question, I put "what is aunt Vera's cat's color". It complained
about the
apostrophe in the question. OK, fine. I deleted that apostrophe.
For the secret answer, I put "Aunt Vera doesn't have a cat."
And I got this:
1064: You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use
near 't
have a cat', 'male')' at line 1
This means that the programmers are in the habit of taking strings
that they
got from the user (i.e. GET or POST parameters) and concatenating them
together with other bits and pieces of SQL to generate SQL statements.
For example, in PHP with PostgreSQL:
$x = pg_query("select * from accounts where name='" . $_GET["name"] .
"'");
(For non-PHP programmers: "." is the string concatenation operator).
I'm not surprised that they are in the habit of doing this; a lot of
programming books, tutorials, and documentation use examples like this.
Unfortunately it's a gigantic security hole called SQL injection.
The user, if malicious, can close the string that you opened, finish
your
select statement, put in a semicolon (the SQL statement separator),
and then
type any SQL code they want, and it will run.
So, for example, if the user supplies this as name:
foo'; delete * from accounts --
... the SQL statement executed will be:
select * from accounts where name='foo'; delete * from accounts --'
... which will do exactly what it looks like: it will delete the entire
table of accounts.
I have encountered this bug during our php thesis defense last year.
Indeed
it will result to a mysql error. I am not sure but the latest version
is now
aware about this. I have a php page that asks for a username and
password. I
remembered, "how about if I'll input an apostrophe on it, will it
crash?"...
guess what... gi-ignore ra and no error displayed. Gi-treat siya as
ordinary
input string. So I guess, murag wala na ni siya sa mga latest version sa
php. bale nasolve na ang pagpasa sa string ug di na maconfuse kung
query ba
siya or dili. Di kaayo ko maayo sa php ug mysql kay kamulo pa ko
tu-on. IMO,
sa version siguro na siya gadepende.
--
"..nandirito kami ang barkada mong tunay aawit sa'yo. Sa lungkot at
ligaya,
hirap at ginhawa.. kami.. sa kama mo."
»› RICHARD M. BADLISAN
» http://goma.co.nr
» [EMAIL PROTECTED]
» [EMAIL PROTECTED]
_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph
_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph
