| From: | MaXX <bs139412(at)skynet(dot)be> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: SQL injection |
| Date: | 2005-10-31 23:32:46 |
| Message-ID: | dk69iv$1ga5$1@talisker.lacave.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Alex Turner wrote:
> Can you demonstrate a URL/attack that would constitute an injection
> attack that would get around magic-quotes, or provide some links to
> such?
>
[...]
Just quoting an article in Hackin9 (N°5/2005) I was just reading before
writing my post (page 53, translated from french): "The PHP function
magic_quote() allow to cancel automaticaly the effect of a single quote
using backslashes; however this function is used in conjunction with the
function strip_slashes(), the escaping characters are suppressed."
I admit that I haven't tried and don't realy know how to implement this one
but I presume they have tried. I'll google on this to see if I can find
some demonstration as this is the first time I read this magazine.
After reading this article I tested some of the suggested attacks agains my
Perl CMS engine based on Pg and hopefully the given examples work with
MySQL but I'm reviewing my regexps just in case...
--
MaXX
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Rafael Montoya | 2005-10-31 23:33:47 | Re: after insert or update or delete of col2 |
| Previous Message | Steve Crawford | 2005-10-31 23:22:23 | Re: Installation trouble |