|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Magic Quotes
From: Steve Slater (slater
handsonsecurity.com)
Date: Tue Oct 10 2006 - 18:11:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 04:00 AM 10/06/06, DokFLeed wrote:
>if there is noway around Magic Quotes, then why is every developer
>against it ?
>Dok
You can often get around it, depending upon the app and the query.
Here is one that works...or at least did work at the time. It's pretty old:
http://packetstormsecurity.nl/0311-exploits/phpBB206.txt
What if your query uses a numeric query value? Then there is
no quote needed to perform an injection. For example:
SELECT * from db.table where column = 1100
What if I change 1100 to: -9999 union select * from whatever.whatever
(No quotes needed here...)
Just give your team an example of how prepared statements work
and it won't take more than an extra minute to copy it for each new DB
query. Then you don't have to worry about it.
Steve
==================================================
Steve Slater
President
Security Compliance Corporation
120 Village Square, Suite 76
Orinda, CA 94563
(866) 657-4550
http://www.securitycompliancecorp.com
slatersecuritycompliancecorp.com
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download a Free Trial of AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
--------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]