Results 1 to 7 of 7
April 19th, 2007, 01:06 PM #1SQL Injection Exploit
I have followed Steve Gibson for quite some time. I was mostly interested in his PC security information. He has a good test for your firewall and other neat stuff.
Today he caught my attention withSecurity Now! Episode 87:
SQL Injection Exploits
Leo and I wrap up our three-part series on web-based code injection vulnerabilities and exploitation with a discussion web-based structured query language (SQL) database attacks. We explain why and how SQL injection vulnerabilities are creating an ongoing plague of vulnerabilities besetting modern 'Web 2.0' applications.
I must like to have extra stuff to worry about.
April 19th, 2007, 07:46 PM #2
Thanks for raising the flag! Anyone that is running prescripted code like coppermine and many others will want to do some research on this. I used the html version and found the topic about 3/4 the way down the page. (remove url if need be grc.com/sn/SN-087.htm )
Anyone that is running thier own apache server might be able to head it ALL off at the pass with some modifications to mod_security. Looks like i have a new more important project for the night :-(
back to learning more...
Last edited by Leader; April 19th, 2007 at 08:04 PM. Reason: Got rid of icon that was unintentionally showing up
April 19th, 2007, 11:07 PM #3
unintended but worked for me ;-)
Bumpaw I can't thank you enough for pointing this out. I always new this was something i needed to know more about, but i had no idea what i was looking at in the logs until tonight.
after doing a bit of learning on this I was shocked how easy SQL can be used to exploit the servers, so I went into my logs and sent no less than 10 hack abuse letters to servers across the globe. If you see any URLs in your logs that reffer to another site such as
someone is knocking at your door....how will you answer?
If you are using SQL/mySQL and php at all you need to pay attention!
April 19th, 2007, 11:43 PM #4
There is a nice article entitled "The scary part of online retailing: Hackers are easily finding the unlocked doors" in April issue of Internet Retailer. They talk a lot about SQL Injection and then further down say:Looking at other e-commerce security trends, we expect the wildly popular PHP open-source programming language to continue to provide a bounty of opportunities for hackers.
April 20th, 2007, 12:02 AM #5
Yes, SQL injection is very serious and many of us are vulnerable already. It's important to always use quotes in your queries and backslash the quotes in user submitted content. If you're inserting a number, quote it anyway to be safe. It's also a good idea to screen the data that comes through to make sure you're getting valid inputs. Just because you've got a select box it doesn't mean somebody won't try to enter a value you didn't provide. To be on the safe side you should enable magic quotes so any user submitted content is automatically backslashed. But even then you need to be aware of the potential problem and keep it in mind when taking content from users.
And I agree, Internet Retailer is great!
- ScottHatred stirs up strife, But love covers all transgressions.
April 20th, 2007, 01:26 AM #6Leader,
unintended but worked for me ;-)
"prescriptioned" code just didn't make sense! :pThere is no knowledge that is not power. ~Hemingway
April 20th, 2007, 12:49 PM #7
It's good to see that this issue is still getting coverage. SQL programmers on PHP or ASP need to keep addressing this issue, because the hackers sure haven't forgotten.
By John Powell in forum Midnight Cafe'Replies: 0Last Post: January 8th, 2009, 09:36 AM
By MnemonicGuy in forum Midnight Cafe'Replies: 1Last Post: July 25th, 2008, 11:03 AM
By Kevin in forum Blogging, Mobile and Social MediaReplies: 1Last Post: May 5th, 2008, 08:26 PM
By PatrickAllmond in forum Programming / Datafeeds / ToolsReplies: 10Last Post: October 22nd, 2007, 05:58 PM