From: | Alex Turner <armtuk(at)gmail(dot)com> |
---|---|
To: | MaXX <bs139412(at)skynet(dot)be> |
Cc: | pgsql-general(at)postgresql(dot)org |
Subject: | Re: SQL injection |
Date: | 2005-10-31 21:39:18 |
Message-ID: | 33c6269f0510311339q73a84650m7d80a1723c8fbadc@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
Can you demonstrate a URL/attack that would constitute an injection
attack that would get around magic-quotes, or provide some links to
such?
Alex
On 10/31/05, MaXX <bs139412(at)skynet(dot)be> wrote:
> Hi,
>
> Yonatan Ben-Nes wrote:
> > Hi all,
> >
> > I'm currently trying to build a defence against SQL INJECTION, after
> > reading some material on it I arrived to few possible solutions and I
> > would like to know if anyone can comment anything about them or maybe
> > add a solution of its own:
> [...]
>
> If you're running PHP on an Apache server check mod_security, you'll have to
> tune a little bit it's default ruleset, but it does a great job for me. It
> will not protect you against tricks like 'chr(39)' (single quote) or
> funnier 'cH%52(123-84)' unless you write specific rules. It inspect both
> GET an POST payloads, performs unescaping and lots of other cool things
> (protection agains shell command injection)...
> Be warned, it has some side effects, as it will kick you off if you try to
> publish SQL code on your site even if your code isn't malicious or
> sentences that may look like sql (delete from something)...
>
> As suggested, parameters validation is required, regexps are great for this
> job and are easy to learn (do it you'll see). Do the validation in your PHP
> before sending the query to your server (do not rely only on checking
> inside stored procedures as the injection can take place before the actual
> checking)
>
> HTH,
> --
> MaXX
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: don't forget to increase your free space map settings
>
From | Date | Subject | |
---|---|---|---|
Next Message | Simon Riggs | 2005-10-31 21:44:33 | Re: Starting PostgreSQL 8.0.4 with more memory [FreeBSD |
Previous Message | Tom Lane | 2005-10-31 21:00:17 | Re: Installation trouble |