Re: [PHP-DB] SQL injection

2015-06-21 Thread Mark Murphy 
But what does your application do when it gets an invalid SQL statement?
Maybe it is telling the attacker something important about your database so
that they can compromise it with the appropriate injection.

On 2:36PM, Sun, Jun 21, 2015 Lester Caine les...@lsces.co.uk wrote:

 On 21/06/15 18:55, Richard wrote:
  OK - this had no chance of success since publish_date_desc is
   processed using the _desc ( or _asc ) and any invalid data
   stripped
  
  
   sort_mode=publish_date_desc%20or%20(1,2)=(select*from(select%20n
   ame_const(CHAR(111,108,111,108,111,115,104,101,114),1),name_const
   (CHAR(111,108,111,108,111,115,104,101,114),1))a)%20--%20and%201%3
   D1
  
   The question is more of interest in just what it was trying to
   achieve? I presume hack MySQL? So Firebird would barf anyway, but
   just trying to something that has generated some several hundred
   error log entries in the last two days ...
  
   Lester Caine - G8HFL
  
  
   The sub-query is invalid, if valid it would've been equivalent to:
   or (1,2)=(select*from(select 'b2xvbG9zaGVy' as 1, 'b2xvbG9zaGVy'
   as 1))a) -- and 1=1
  
   Seems non threatening to me.
  Regardless of whether this specific attack could have resulted in
  harmful sql injection or not, user input should be sanitized so that
  things never get this far.

 ? That is taken direct off the URL! Sod all I can do to prevent it, but
 I was simply asking if I was missing something as it did not make any
 sense? It got no further than the error log but as I said several
 hundred attempts via a few different filter options all of which
 suggested something that was expected to work if the site was a
 vulnerable mysql powered site ... which it's not.

 Seems that is just a pointless URL rather than some recently identified
 potential vulnerability?

 --
 Lester Caine - G8HFL
 -
 Contact - http://lsces.co.uk/wiki/?page=contact
 L.S.Caine Electronic Services - http://lsces.co.uk
 EnquirySolve - http://enquirysolve.com/
 Model Engineers Digital Workshop - http://medw.co.uk
 Rainbow Digital Media - http://rainbowdigitalmedia.co.uk

 --
 PHP Database Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php

 --

Sent from my android

Re: [PHP-DB] Re: Code Security

2015-02-18 Thread Mark Murphy 
@Taco, Read back through the whole thread and you will understand. Ethan
just can't do what he wants to with PHP.
On Feb 18, 2015 9:59 AM, Taco Mathijs Hillenaar-Meerveld 
tm.hillen...@gmail.com wrote:

 Sorry if i misread and put my reply in a wrong context.
 but from how i read this question it is all about preventing a user to open
 a terminal window.

 if Mr. Nice is logged in then i assume he has all rights as the topic
 starter is afraid Mr. ugly can look at his code.

 as far as i know it is not common practice to work direct on a server and
 have all rights and allow other people using that computer when connected
 to the specific server.
 Ethan also pointed out that he made a POS (Point of Sale) program to work
 in that store. there are 2 account types: 1admin  2worker.

 the worker should not have any rights and the admin account should only be
 able to change/edit things within that program.
 

 i don't see why anyone (the admin included) would need to have access on
 the stand alone server apart for maintainance duties to keep it all up and
 running.
 the server needs to be locked in a server room or another place that will
 fit. but definately locked.

 if someone can get on that server through a terminal it will mean something
 has gone horrible wrong.

 i am not sure if Ethan is trolling though. but if i understand his question
 right and it's a honest question, it sounds kind of weird to me.

 when i get an order to install a server, my first question would be like:
 - who is going to use it?
 - who has access to it?
 - who need to have access to it?
 - where will this server be placed? (server room, datacenter, store).

 once the server is installed i have a root account, an admin account with
 certain rights and i have made a couple of 'administrator groups' . the
 programs like apache are in this group aswell. but this has nothing to do
 with the administrator account from the POS.

 so are we here talking about securing the code of the POS and its content
 or are we talking about the basics of securing a Linux server?
 if it is the latter, the Topic starter better read about how to secure his
 server. btw, i'm wondering what his question has got to do with PHP and
 databases :-/

 in addition:

 *as soon we talk about 'looking at code' and 'user is logged in as an
 administrator with all rights to delete content' you will make ANY
 administrator*
 *nervous :) i know a couple of admins, trust me, they are paranoid and
 won't trust anyone near their machines. not to speak about getting access
 to a server!*


 On Fri, Feb 13, 2015 at 6:28 PM, Guru nagendra802...@gmail.com wrote:

  Put a redirect code in www folder to your index page.
  On Feb 13, 2015 10:55 PM, Karl DeSaulniers k...@designdrumm.com
 wrote:
 
   Set up a password or a salt that Mr. Nice has to call you to get and
   expires on logout.
  
   Lol
  
   Best,
   Karl
  
  
   Sent from losPhone
  
On Feb 13, 2015, at 8:47 AM, erosenb...@hygeiabiomedical.com wrote:
   
   
Ethan,
It seems like you're looking for a programmatic solution to a
 physical
security problem. In the end, your most viable solution will likely
be to train Mr. Goodguy to remove the key the same way he needs to
remember his ATM card after a withdrawal. I've seen programmatic
work-arounds to solve similar issues, but they have always ended up
being significantly arduous for the end users...
Respectfully,
Joshua D. Arneson
-Original Message-From: Ethan Rosenberg
[mailto:erosenb...@hygeiabiomedical.com] Sent: Friday, February 13,
2015 9:12 AMTo: php...@lists.php.netSubject: Re: [PHP-DB] Code
Security
On 02/13/2015 02:58 AM, Karl DeSaulniers wrote: Prevent THIS from
ever happening. On Feb 12, 2015, at 11:03 PM, Ethan Rosenberg
wrote: He asks Mr.[naive]Nice if he could look at the computer
while it is logged in. Otherwise, I would say an external key that
has a salt stored on it that the user has to insert in the computer
before the system can be accessed. Like an access key card.
 Immediate
shut down when tampered and/or removed. Just a stab in the dark
though. Best, Karl DeSaulniers Design Drumm
Karl -
Thanks.
The key is already plugged in. Mr [Naive] Nice is using the computer,
and is logged in. Mr. Ugly just want to look at the computer.
Ethan--
Joshua -
My apologies for an HTML message.  That is all I have at work.
   
How about this -
Block access to Ctrl-Alt-Del for Mr. Nice.
TIA
Ethan
   
   
  
   --
   PHP Database Mailing List (http://www.php.net/)
   To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-DB] Error fetching a second row from a result set (mysql)

2014-11-14 Thread Mark Murphy 
Windows 7 SP1; php 5.3.29; Apache 2.4.9; MySQL 5.6.17

$isr = mysql_unbuffered_query ( $is, $link_id );
if ($isr === false) {
...
}
if ($isr) {
$booking_id = '';
while ( $isv = mysql_fetch_assoc ( $isr ) ) {
$result ['id'] = $isv ['id'];
...

Second time through this loop I get the following error:

Warning: mysql_fetch_assoc(): 40 is not a valid MySQL result resource in
C:\Users\Mark Murphy\whiworkspace\spur\cron\import_bookings.php on line 89

Problem is that for the resource, the type is changed to Unknown by a
different mysql_query within the loop. Any idea what will cause this?

When the statement works, the debug value for $isr is resource id='40'
type='mysql result'.
When the statement fails, the debug value if resource id='40' type='Unknown'