sirhenry
Jan 29 2005, 03:44 PM
Yikes! I just found out about this. It's really something to watch out for when making SQL of any sort, not just log-ins. Fortunately, it's relatively easy to circumvent. Check it out: QUOTE("A man wiser than I") What is an SQL Injection attack?
An SQL Injection attack happens when a user gives your script data crafted to change your SQL to do something you didn't intend it to do. Consider this SQL:
$sql = 'SELECT * FROM users WHERE username="'.$username.'"
AND password="'.$password.'"';
if (mysql_query($sql)) {
echo 'Logged in!';
}
It looks fine, but what if a user submitted this as their password:
" OR 1=1 OR ""="
This would cause the SQL to read:
SELECT * FROM users WHERE username="" AND password="" OR 1=1 OR ""=""
which would allow the attacker to get into your system without even knowing a login!
On many databases you can also run multiple queries by putting a semicolon in the SQL you pass. Consider this password:
"; DELETE FROM users WHERE ""="
This would run the first query, which would probably find no records, but it would then run the DELETE query which would delete all of yoru users. Note that this could also be used to delete any other data in yoru system or to change your data or insert a new user with admin priviledges.
To protect against this, you need to "escape" the variables you put into your SQL. When using Mysql you can do this:
$sql = 'SELECT * FROM users WHERE
username="'.mysql_real_escape_string($username).'" AND
password="'.mysql_real_escape_string($password).'"';
If you're using PEAR::DB you can do this (this will work for *any* database system that DB supports):
$sql = 'SELECT * FROM users WHERE
username='.$db->quoteSmart($username).' AND
password='.$db->quoteSmart($password); Pretty scary stuff, huh? ::shocked:: Note: this is taken from this wiki, and the rightful author(s) of this information deserve all credit due.
Reply
Xedos
Jan 29 2005, 03:47 PM
Wow. I've knew about SQL Interjections for ages. I however never knew what they did. This as explained it all to me. Thanks!
Reply
maddog39
Jan 29 2005, 06:33 PM
I know someone who had and sql injection attack on there phpBB forum and the hacker logged into the ACP and kaked everything and left a message on his homepage, lol. 
Reply
Roly
Jan 29 2005, 07:33 PM
or you can use htmlentites() or addslashes()
Reply
OpaQue
Jan 29 2005, 08:12 PM
This is a very helpful information that you have contributed! And it must be known by many programmers. I have Granted you 2 Hosting Credits as reward! 
Reply
King-Squad
Jan 29 2005, 08:15 PM
What are hosting credits by the way?
Reply
OpaQue
Jan 29 2005, 08:33 PM
King-Squad
Jan 29 2005, 08:37 PM
ooo gotcha thank you i wasnt paying attention sorry
Reply
maddog39
Jan 29 2005, 09:13 PM
Its been like 1 or 2 days and I have 20 credits from my original starting 3, lol. 
Reply
Xedos
Jan 31 2005, 02:25 PM
What? Your giving out hosting credits? Your nice. *Cough*Isaidyournicenowgiveme5000credits*Cough*
Reply
Adamrosso
Aug 8 2005, 07:51 PM
Interesting topic. I will defantly read this more often if it happens to me
Reply
s2city
Aug 2 2005, 09:52 PM
Thanks for posting... good idea to inform everyone of the dangers involving databases. Also.. they're called SQL Injections... not Interjections. Common misconception... not really, actually.
Reply
SecureA
Aug 2 2005, 05:22 PM
well, nice article,thanks
Reply
BuffaloHELP
Aug 2 2005, 06:51 AM
DynomitePlease do not hijack the thread. Stay on the topic. We have dedicated PHP programming subforum or you can search for phpBB modification with the popular search engines.
Reply
Dynomite
Aug 1 2005, 08:41 PM
Thank you for posting this. Are SQL Injections what cause all of the phpBB exploits? I know it was something like that. I really like phpBB boards, I'm trying to learn php more advance than whay I know already, which is basic things like. echo "Text Here"; date("D") if...else switch $variable etc... I want to make some really great phpBB hacks, I've been looking at the phpBB code for a while now, I think if I can understand everything in it I should be doing alright. I'll also know the structure of the software and how it works, that should help me make some modifications for it.
Reply
Recent Queries:--
sql query in interjection - 185.23 hr back. (1)
-
what is a interjection - 451.30 hr back. (1)
-
"sql interjection" - 556.84 hr back. (3)
-
quotesmart sql injection - 615.30 hr back. (2)
-
sql interjection - 194.04 hr back. (9)
-
what is sql interjections - 680.86 hr back. (2)
-
sql interjections - 191.59 hr back. (3)
-
about interjection - 691.04 hr back. (1)
-
mysql_real_escape_string() in pear db - 702.63 hr back. (1)
-
two things not commonly known about interjections - 719.64 hr back. (1)
-
interjections that start with a - 820.47 hr back. (1)
-
question and answer about interjection - 828.14 hr back. (1)
-
question and answer interjection - 833.63 hr back. (1)
-
pear db quotesmart hacks - 846.16 hr back. (1)
Similar Topics
Keywords : sql, interjection, attacks, answer, inside
- How Much Would You Be Willing To Pay For These Services?
Please answer the poll and add your thoughts (2)
Can I Be Selected I Football Clubs
i need a good answer (1) I know good football /cool.gif" style="vertical-align:middle" emoid="B)" border="0"
alt="cool.gif" /> , so i think i must go for football(soccer) club enterence , do anyone know is
there any online football club admistions , i need a good website for that ....
Cd Drive Eject Button Problem
see inside for explanation (3) i have a old dvd burner that is very reliable. the only problem that i have is the eject button on
that thing is a little busted. i know you can right click to eject it but how can i return it(after
you put a cd you press that thing to let the cd go inside) it is an old one and you push the cd
holder like the other one i have. my question is, is there a way to program it or such. because one
burner program has an option like this and it works. but the program isnt free.....
Can Somebody Answer My Qustions Please?
New one needs help:) (8) hello every one:) I'm from Poland and I don't understand all of that "read me" things here
because I'm not familar with english. I'm totally green here. I have some simply quastions.
Can somebody answer them please? /smile.gif" style="vertical-align:middle" emoid=":)" border="0"
alt="smile.gif" /> Here they are: 1. Can I make a polish languange site? (off course nothing rude
or illegal) 2. Can I use a CMS system like JOOMLA! or PHP-NUKE? that's all 4 now i think:)
I could not handle to find answers by my self. Could any one help me please?....
Who's Fault Do You Think It Is?
Story inside... (2) This conflict happened between me and my so called best friends. The day before our school's
sports day, we had agree to wait for each other in front of the stadium's gate before entering.
We've promised to each other that we won't enter the stadium unless we are all there. So the
day came. We (me & my twin sis) were rushing to the stadium. But I had to wait for my father because
he's the one driving me and my twin sis there. Without him, we can't go! Aina (one of my
bff) called me on my cellie asking me where am I. I said I'm at home wait....
Group Limitations
Answer some questions about charectoriation from groups in earlier edu (0) I think that groups are very restrictive at schools. You just sort of fit into a group and than
stay their for the rest of your education. At least at my school we started out as a group in about
6th grade. After that it is basically the same people every year. Then every now and then their is
a new student that comes around and all the groups try to get the new guy to join them. I have to
say that it is somewhat funny how the groups just sort of start calling each other by a certain
name. For instance in my school we have the farmer hicks, the thespians, and the pe....
Pie Cakes (or, Pies Inside Of Cakes)
(8) So one day, I imagined something truly amazing, and wonderful. "What," I asked myself, "would it
taste like to have a pie inside a cake?" The more I thought about this wonderful possibility, the
more I was convinced it would be mighty delicious and truly amazing. To this day, I have eaten two
versions of the pie cake. Both have been truly incredible. The two versions I have devoured were:
Cherry Pie in Chocolate Cake Lemon Pie in Angel Food Cake Believe me if you try these, you will be
stunned and awe-struck..... So? How do you make these tantilizing deserts? I&#....
Ah, Need A Quick Answer
(4) I have a dell stock motherboard Im buying a new one. the dell stock RAM.... is 333MHz at the
most.. http://www.compusa.com/applications/Search...&CatId=2014 that is the motherboard.. pic
of CPUZ Specifications QUOTE Form Factor: ATX Processor Interface: Socket 775
Processors Supported: Intel Pentium 4 LGA775 Intel 05A Intel 05B Intel Celeron D
Intel Pentium D Intel Core 2 Duo, Intel Core 2 Extreme, Intel 06, Intel Core 2 Quad
Additional Technologies: HyperThreading Technology Intel® EM64T, EIST, SLI Ready ....
Vodafone New Zealand - Looks Good On The Outside But The Inside...
"...how they are the worst mobile service provider in NZ..." (6) Vodafone NZ is the worst mobile phone operator I have had experience with. Customer Service is the
worst help service available having to make you wait over 20 minutes to get connected to a
representative. The support team does not help you in anyway. If you forget a security pin they say
"Um...okay are sure you don't remember?" which is a such a inappropriate question when their
website says call customer service to retrieve your pin. Their website support does not even
include some handset models, which is completely mindless as the phone is compatible on the ne....
Create An Undeletable Shortcut Using Registry(windows)
Add undeletable shortcut in desktop and inside "My Computer"&# (1) Create an Undeletable shortcut in Desktop and inside "My Computer"!
*************************************************************************** DISCLAIMER: The
following contains registry edits. If done improperly can cause strange behaviour, and at worst,
could even entirely corrupt your Windows Installation, requiring you to reinstall Windows. I cannot
be held for any damage you may cause to your system as a result of taking any action suggested in
the following article. *************************************************************************....
Can You Put Tables Inside Of Tables?
(6) Well... could you? Specifically I mean can you place a tag in a tag which are already parts of
tables.... if so, how do you go about doing it? ....
Changing Domain Name Without Losing High Traffic To My Site
Need Answer From Admin (13) I have a doubt to do what i want, so i am going to the point, m ysituation is that i have a trap17
free subdomain where i have my free flash clocks website, and its link is
http://free-flash-clocks.trap17.com . Recently i bought a domain name, its link is
www.freeflashclocks.com , and what i want to and i am not certain if i can is that i want to,
redirect all the visits of my free subdmain to my new domain, just for 1 or 2 months, if that is
possible, i apreciate it if it is not but you allow it because i have thousands of visitors a day
(~7000/day) and it is growing....
Help: Disable All Buttons Inside A Div Element
How do you write a function to disable all buttons given a div id (8) I need help to write a function to disable all buttons iside a div ID. if possible the function will
disable all buttons even the ones inside child divs belonging to the main div.....
Mysql Datatype Int() Question
Not sure what value to use inside int() (1) Can anyone clarify what the value in int() actually does? CREATE TABLE job_class ( jc_id int(1)
NOT NULL AUTO_INCREMENT PRIMARY KEY, jc_index int(2) NOT NULL, jc_name varchar(20) NOT NULL, jc_type
varchar(20) NOT NULL ); I was under the impression that any integer value used inside a () was
the limit that data-type would have. In the PRIMARY KEY column I was able to add integer values
1-18. I'm kinda confused now If I can add 2 digit integers there then what is the point of
assigning values inside brackets() For the varchar() any number put in there does limit....
Watch Star Wars Inside Cmd
Watch Star Wars inside CMD (13) Watch Star Wars inside CMD, Title is pretty self-explanitory. 1. Open Windows CMD 2. type: telnet
towel.blinkenlights.nl 3. Press Enter 4. Enjoy....
Panic Attacks
(3) Hello everyone. I suffer from panic attacks and very low self esteem and I was just wondering If
anyone knows of any good tecniques to put into practice when I am having an panic attack. Also can
anyone give me any tips on how to get a higher self esteem and more self confidnece because a t the
moment I am a bag of nerves an it makes me really upset. I just need to get my self esteem higher
and stop my panicing! Any contributions are welcome Please
help!!!!!!!!! thank you in advance.....
Impossible-to-answer Questions...
title says it all (2) ive got some. How do you explain colours, excluding black and white, and what they look like to a
blind person that has been blind all his life? Get a red sheet of paper, and stare into it. Look
closely at the "colour" itself, examine it. Think about what it looks like. Notice after 15 - 30
secs you cant see the colour. Its invisible. Is that what colour looks like? Why do they have
frosted windows on the toilets on a plane? and some more... If the Big Bang Theory is true, and
all matter was condensed into one extremely small and dense area, then what was outside of....
-tlc- Bf2142 Clan Recruiting
Interested? See inside for details. (0) *copied from website* The Last Clan is a fresh gaming clan. We are based in New Zealand, and are at
this time recruiting people in the Oceanic area. We currently have Battlefield 2142 as our official
clan game and are looking into other options. With over 20 active members we are growing fast, and
beginning to build on the clans team work before getting involved in clan vs. clan games. If you
have ever thought about joining a clan or are currently in one and it’s just not right for what ever
reason, maybe you would be interested in joining us! For more information, ....
Gta 4
I got an inside look on the game (6) It's sort of like your typical gta, but on this one the story takes place in the year 2007. It
starts off with a white guy this time and he is supposed to be some cop trying to get out of the
agency. That's all the info i know now but i'll keep u guys tuned to this game.
/rolleyes.gif" style="vertical-align:middle" emoid=":rolleyes:" border="0" alt="rolleyes.gif" />....
Squishycash - Gpt Site With $3.00 Signup Bonus!
Check out my payment of $100.75 inside! :D (5) Hey guys, I found out this amazing GPT site that pays you to complete really simple and easy offers
for cash! The site is http://www.squishycash.com ! It's completely free unless you want
to the paid offers. I made all my money from freebies and I didn't even have to give my social
security number or credit card number! I'm so happy I found a real site that PAYS and
doesn't steal your money. Checkout my payment from them! They always have contests
going. Most of them are earnings contests where 1st prize wins $25, 2nd wins �....
Start Your Garden Inside
A Seed Starter Primer for Northern Climes (28) Start Your Garden Inside A Seed Starting Primer for Northern Climes If you’re
itching to get your hands dirty, there’s no need to wait for the snow to melt. You can get started
right now on this year’s garden by getting a head start indoors. Now’s the time to get organized and
figure out what you want to grow, especially if you’re located in a northern, short-season climate.
Some folks spend the winter pouring over seed catalogs, but most of us don’t have time for such
luxuries. I usually pick whatever’s available from Walmart, as the prices are re....
How I Was Born?
Dad's answer to son's question :-) (12) How I was born? QUOTE Son asks his dad, "Daddy, how was I born?" His dad
sighs and replies, "Ah, my son, I guess one day you would have to find out anyway!" "Well,
you see your Mom and I first got together in a chat room on MSN. Then I set up a date via e-mail
with your mom and we met at a cyber-cafe. We sneaked into a secluded room, where your mother agreed
to a download from my hard drive. As soon as I was ready to upload, we discovered that neither
one of us had used a firewall, but it was too late to hit the delete button." "Six w....
The View From Inside A Recovering Suicidal
Rambling in the literal sense about Clinical Depression (4) I've been in a "down" period lately, and I feel like expressing myself to try and combat it.
Plus, if I ever have to ask stuff about this topic, I can link here instead of having to put it all
out again. ^-^ (Mods, I've put this topic in Real Life Experiences because I am not sure if it
is worth credits. If you feel it would be better suited elsewhere, feel free to move it as you deem
fit.) Anyway, history... I was diagnosed with Clinical Depression when I was 17, after my
parents' divorce and when I was living with my father (A WHOLE 'nother issue tha....
What Is God?
simple question, hard to answer! (52) Yeah this is the only thing I'd like to know! Is he a big old man with a beard somewhere
above us (interstingly what is UP on one side of the earth is DOWN on the other side of it - so
where is God then if we point up there?)??? Is he inside of us? Are we all a part of god? Is God
present in everything that surrounds us? Isn't it interesting that GOD is very close to GOOD?
Maybe it is a metaphore for being and doing GOOD things?? That is something we have inside of us -
every normal human being has this feeling for what is good and bad and is tryin' to f....
A Puzzle I Dreamt Of.
Can you help me find an answer? (1) Recently I've had the dream that the landmasses around the world have been splitting into fifty
new islands. All of them were discovered except one. But I found that one and declared myself king
over it. But the dreams have now left me with a puzzle, one I feel I am inclined to answer. My
island has attracted the attention of some people, and I have managed to get some people to inhabit
it. Unfortunately, the food supply is not substantial enough for us all. I need to get more, but I
have no resources in this country. I could risk travelling to another country, but ....
Inside Of A Processor
(8) Is there anyone out there among you that has a picture of what it looks like inside a processor.
Maybe a picture of the inside of an AMD and an Intel processor for comparison. It's been a
curiosity that's arisen in me and driven me crazy for a while.....
What Is The Answer To This Riddle?
As above, so below. (13) Do You Know the Answer to this Ancient Riddle? QUOTE "The key to life and death is everywhere
to be found, but if you do not find it in your own house, you will find it nowhere. Yet, it is
before everyone's eyes; no one can live without it; everyone has used it. The poor usually
possess more of it than the rich; children play with it in the streets. The meek and uneducated
esteem it highly, but the privileged and learned often throw it away. When rejected, it lies dormant
in the bowels of the earth. It is the only thing from which the Philosopher's Stone c....
How To Make Pure Html Preloader?
anyone know's the answer? (7) Hello all today i run out on this website and I found it very interesting... Anyone know how they
did that page? and im specialy interested in that HTML preloader... ?? how to make one??....
Life Talk! (hurting Inside)
talking about hurting inside! (8) This is the topic for everyone who have a seriousely hurt only. This is what i am falling into the
down time, i can no stand up i can not run away. I live in a warm family, father, mother and other
few sibling. My Dad is love me very much , i remember one day i need a wooden food, he only have for
that cost of food in his pocket, he bought it for me with an empty pocket to work, I still remember
that day.... a few year has pass.. he has to study in USA, for the first few year he keep contact
with us... send a letter... but after two year more.... we never recieve his le....
My Riddles! - See If You Can Answer Them
Riddles, riddles & more riddles (18) While walking down the street I met a man. He tipped his hat (1) and drew his cane and in this
riddle I told his name. What is the name of the man? A man walks up to you and says - "everything I
say to you is a lie." (3) Is he telling you the truth or is he lying? A boy was at a carnival and
went to a booth where a man said to the boy, "If I write your exact weight on this piece of paper
then you have to give me $50, but if I cannot, I will pay you $50." The boy looked around
and saw no scale so he agrees, thinking no matter what the carny writes he'll ....
Looking for sql, interjection, attacks, answer, inside
|
*RANDOM STUFF*
*SIMILAR VIDEOS*
Searching Video's for sql, interjection, attacks, answer, inside
*MORE FROM TRAP17.COM*
|
advertisement
|
|
