 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| |
|
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9145
 People Online:
 Visitors: 435
 Members: 0
 Total: 435
|
|
|
|
|
|
PacketStorm News |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
You Can Do SQL Injection Here ? |
|
 Posted: Fri Jun 24, 2005 4:16 pm |
 |
|
| Devil-00 |
| Regular user |
 |
| |
| Joined: Apr 27, 2005 |
| Posts: 6 |
| Location: Palestine , Jerusalem |
|
|
 |
|
 |
|
Hi ,,
I Have Fucntion From My Frind ,, 
We Wanna To Stop SQL Injections ,,
We Can Use This Function To Stop SQL Injections ?
| Code: |
function SqlStatments ($text)
{
$text = strtolower($text);
$text = str_replace('delete','',$text);
$text = str_replace('truncate','',$text);
$text = str_replace('update','',$text);
$text = str_replace('union','',$text);
$text = str_replace('insert','',$text);
$text = str_replace('select','',$text);
return $text;
}
|
And About XSS .. We Can Stop Attack By This Function ?
| Code: |
function Characters ($text)
{
$text = str_replace('<','',$text);
$text = str_replace('>','',$text);
$text = str_replace('%22','',$text);
$text = str_replace('%3C','',$text);
$text = str_replace('%3E','',$text);
return $text;
}
|
Sorry For My Bad English |
|
|
|
|
|
|
|
|
| Posted: Fri Jul 22, 2005 4:00 am |
|
|
| Tirim |
| Beginner |
|
| |
| Joined: Jul 22, 2005 |
| Posts: 2 |
|
|
|
|
|
|
|
'; UP/**/DATE SomeTable SET Password ='blah' where 1=1--
The above example will evade the sanitization methods you use, because /**/ is treated as a comment, breaking the 'UPDATE' statement into fragements without making the query invalid.
A variable can also be declared as a hex equivilant of an SQL Query and then executed, as in @foobar = 0x73656c65637420404076657273696f6e; exec (@foobar)--.
Having a list of 'badwords' is not the best solution to guard against SQL Injection.
Cheers  |
|
|
|
|
| Posted: Fri Jul 22, 2005 11:28 am |
|
|
| waraxe |
| Site admin |
 |
| |
| Joined: May 11, 2004 |
| Posts: 2407 |
| Location: Estonia, Tartu |
|
|
|
|
|
|
| I can't imagine any practical use of application, where such common words as "delete" and "select" are forbidden. Even "union" - what about European Union? This code will smash up this! |
|
|
|
|
| Posted: Fri Jul 22, 2005 9:50 pm |
|
|
| Chb |
| Valuable expert |
 |
| |
| Joined: Jul 23, 2005 |
| Posts: 206 |
| Location: Germany |
|
|
|
|
|
|
Hey,
a while ago a friend coded a protection for SQL-Injection. Here it is:
| Code: | function sqlprotect($str)
{
return mysql_escape_string($str);
} |
I think you know how to use. |
|
|
|
|
www.waraxe.us Forum Index -> Sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
