Steve,
Actually, your example there is in correct. It is inappropriate that the user entered data is changed between what’s entered and what’s seen in the db. Escaping should be invisible to the data. In your example below, since Witango/TeraScript automatically wraps the value in a set of single quotes, the entire value, including the double quote and semi-colon will be considered text and not part of the SQL statement. This is 100% safe. Only the presence of an undoubled single-quote would cause an issue. I’ll mention one thing that I recently learned. The default error by the Witango Server is informative. When one of my PCI scans (I have 2 that are running against my sites) came back with hundreds of SQL injection errors I determined that they were seeing the error message which looked to contain parts of their injection attack and they took that as a fault. (arguably detailed errors can help hackers attack your site). I simply setup a default error which bounced to the home page and the re-scan came back clean. I’m not sure what kind of reporting they do, but if you can learn more about the specifics of the failure, we might be able to nail it down. But try setting a default error first and see if that solves everything. Robert From: Steve Briggs [mailto:[email protected]] Sent: Monday, August 22, 2011 9:02 AM To: [email protected] Subject: Re: Witango-Talk: Witango / TeraScript MySQL escape meta tag Thanks Robert. That's what I'm not sure of. The PCi compliance scans are saying they are vulnerable to SQL injections, and if I enter something like this in a form field being inserted by a TAF: Steve"); UPDATE customers… then look at the database table, that's exactly what's in there. Shouldn't it be: Steve\"); UPDATE customers… if it is being escaped? I have to admit to a lack of knowledge is this area, so I apologize if I'm misunderstanding what the PCI compliance outfit is looking for. I can send you the specific URL's in private if you'd like. Thanks! -- Steve On Aug 21, 2011, at 2:28 PM, Robert Shubert wrote: Steve, I’d like to look at your specific situation in more detail. Escaping of values in SQL statements should be automatically handled by TeraScript Server. Robert From: Steve Briggs [mailto:[email protected]] Sent: Sunday, August 21, 2011 11:30 AM To: [email protected] Subject: Witango-Talk: Witango / TeraScript MySQL escape meta tag I need to convert a bunch of old TAF's for PCI compliance and I'm looking for the easiest way to escape insert and update statements to avoid SQL injections. Does anyone have a custom meta tag similar to PHP's mysql_escape_string? i.e. <@MYSQLESCAPE <@POSTARG first_name>> Or any other suggestions as to the best way to go about this? Thanks! -- Steve ************************************************** Steve Briggs Wow Pages Portland, Maine Longmont, Colorado 207-761-2450 888-325-5907 [email protected] ************************************************** _____ To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body. _____ To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body. ************************************************** Steve Briggs Wow Pages Portland, Maine Longmont, Colorado 207-761-2450 888-325-5907 [email protected] ************************************************** _____ To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body. ---------------------------------------- To unsubscribe from this list, please send an email to [email protected] with "unsubscribe witango-talk" in the body.
