On 11/2/06, Ron Michael Khu <[EMAIL PROTECTED]> wrote:
dili man tingali ana ang meaning sa "bug" diha sa title..
dili cya bug sa underlying applications but a bug of the system that
makes use
of these applications..
bug cya sa katong web application or katong website...
hence, the title "sql injection bug"...
dili pasabot na "there's a bug in sql"... it simply means "there's a
[sql injection] bug
in ur software/website/app"..
almost all (iF not all) sql-injections bugs can be simplified down and
written off as "input-parsing bugs"
daghan ani during the CGI days..and hatud karon naa pa gihapon ang mga
websites na vulnerable to "injection"-style na
hacks..
pwede pa gani "equality expressions" sa mga password and name fields,
for example:
ang algo for checking if a particular username exists in a database,
gina-ihap lang ang result sets or rows retrieved.. so kung greater than
0 meaning okay na...
so pwede ra mo butang dayun sa input field ug [ '' or 1=1 ]
so pag evaluate sa server logic ug [select username from usertable where
username='' or 1=1]
naa gyud result pirme :(
Earl Lapus wrote:
> dili man gyud cya bug sa php or mysql (tingali). di ba naa mani sa
> application nga side?
>
> if mag kuha ka ug input sa user then i pasa nimo diretso as an sql
> query then
> ma yabo ang imong db if kabalo mag "injection" ang user. mao ni akong
> pag sabot sa article ni joel-on-software-bayot.
>
> On 11/2/06, Richard Badlisan <[EMAIL PROTECTED]> wrote:
>>
>> from http://www.joelonsoftware.com/items/2006/11/01.html
>> What's a SQL Injection Bug?
>>
>> This item ran on the Joel on Software homepage on Wednesday, November
>> 01,
>> 2006
>>
>> I tried to sign up for an online site.
>>
>> The signup page wanted a secret question and secret answer. For the
>> secret
>> question, I put "what is aunt Vera's cat's color". It complained
>> about the
>> apostrophe in the question. OK, fine. I deleted that apostrophe.
>>
>> For the secret answer, I put "Aunt Vera doesn't have a cat."
>>
>> And I got this:
>>
>> 1064: You have an error in your SQL syntax; check the manual that
>> corresponds to your MySQL server version for the right syntax to use
>> near 't
>> have a cat', 'male')' at line 1
>>
>> This means that the programmers are in the habit of taking strings
>> that they
>> got from the user (i.e. GET or POST parameters) and concatenating them
>> together with other bits and pieces of SQL to generate SQL statements.
>>
>> For example, in PHP with PostgreSQL:
>>
>> $x = pg_query("select * from accounts where name='" . $_GET["name"] .
>> "'");
>>
>> (For non-PHP programmers: "." is the string concatenation operator).
>>
>> I'm not surprised that they are in the habit of doing this; a lot of
>> programming books, tutorials, and documentation use examples like this.
>>
>> Unfortunately it's a gigantic security hole called SQL injection.
>>
>> The user, if malicious, can close the string that you opened, finish
>> your
>> select statement, put in a semicolon (the SQL statement separator),
>> and then
>> type any SQL code they want, and it will run.
>>
>> So, for example, if the user supplies this as name:
>>
>> foo'; delete * from accounts --
>>
>> ... the SQL statement executed will be:
>>
>> select * from accounts where name='foo'; delete * from accounts --'
>>
>> ... which will do exactly what it looks like: it will delete the entire
>> table of accounts.
>>
>> I have encountered this bug during our php thesis defense last year.
>> Indeed
>> it will result to a mysql error. I am not sure but the latest version
>> is now
>> aware about this. I have a php page that asks for a username and
>> password. I
>> remembered, "how about if I'll input an apostrophe on it, will it
>> crash?"...
>> guess what... gi-ignore ra and no error displayed. Gi-treat siya as
>> ordinary
>> input string. So I guess, murag wala na ni siya sa mga latest version sa
>> php. bale nasolve na ang pagpasa sa string ug di na maconfuse kung
>> query ba
>> siya or dili. Di kaayo ko maayo sa php ug mysql kay kamulo pa ko
>> tu-on. IMO,
>> sa version siguro na siya gadepende.
>> --
>> "..nandirito kami ang barkada mong tunay aawit sa'yo. Sa lungkot at
>> ligaya,
>> hirap at ginhawa.. kami.. sa kama mo."
>>
>> »› RICHARD M. BADLISAN
>> » http://goma.co.nr
>> » [EMAIL PROTECTED]
>> » [EMAIL PROTECTED]
>> _________________________________________________
>> Kagay-Anon Linux Users' Group (KLUG) Mailing List
>> [email protected] ( http://cdo.linux.org.ph)
>> Searchable Archives: http://archives.free.net.ph
>>
>>
>
>
_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph
--
--
Live free. Love free.
http://mungkey.deviantart.com
http://mungkey.blogspot.com
_________________________________________________ Kagay-Anon Linux Users' Group (KLUG) Mailing List [email protected] (http://cdo.linux.org.ph) Searchable Archives: http://archives.free.net.ph
