Can you demonstrate a URL/attack that would constitute an injection
attack that would get around magic-quotes, or provide some links to
such?
Alex
On 10/31/05, MaXX <bs139412@skynet.be> wrote:
> Hi,
>
> Yonatan Ben-Nes wrote:
> > Hi all,
> >
> > I'm currently trying to build a defence against SQL INJECTION, after
> > reading some material on it I arrived to few possible solutions and I
> > would like to know if anyone can comment anything about them or maybe
> > add a solution of its own:
> [...]
>
> If you're running PHP on an Apache server check mod_security, you'll have to
> tune a little bit it's default ruleset, but it does a great job for me. It
> will not protect you against tricks like 'chr(39)' (single quote) or
> funnier 'cH%52(123-84)' unless you write specific rules. It inspect both
> GET an POST payloads, performs unescaping and lots of other cool things
> (protection agains shell command injection)...
> Be warned, it has some side effects, as it will kick you off if you try to
> publish SQL code on your site even if your code isn't malicious or
> sentences that may look like sql (delete from something)...
>
> As suggested, parameters validation is required, regexps are great for this
> job and are easy to learn (do it you'll see). Do the validation in your PHP
> before sending the query to your server (do not rely only on checking
> inside stored procedures as the injection can take place before the actual
> checking)
>
> HTH,
> --
> MaXX
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: don't forget to increase your free space map settings
>
