Comments on: The Basic MySQL Injection http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2 pink is the new black Thu, 26 Jan 2012 17:17:54 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Comedies On DVD http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/comment-page-1#comment-10455 Comedies On DVD Mon, 03 May 2010 05:20:18 +0000 http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/#comment-10455 Your own weblog is so informative … maintain the good perform!!!! Your own weblog is so informative … maintain the good perform!!!!

]]> By: digitalpbk http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/comment-page-1#comment-10036 digitalpbk Thu, 09 Jul 2009 03:50:41 +0000 http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/#comment-10036 The latest PHP does not have magic quotes enabled or its set to be removed. So I guess updating can leave websites vulnerable, atleast those who blindly truested on the magicquotes as their guardian angel. The latest PHP does not have magic quotes enabled or its set to be removed. So I guess updating can leave websites vulnerable, atleast those who blindly truested on the magicquotes as their guardian angel.

]]> By: stefan http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/comment-page-1#comment-8803 stefan Wed, 05 Dec 2007 20:56:38 +0000 http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/#comment-8803 While I am no PHP guru I wonder if there isn't a wat to do parameterized queries? Cause in the Windows/ODBC/C#/VB-NET world parameterized querys solves the problem without needing to change the input strings. Example http://www.programmingado.net/c-27/a-132/Esecute-parameterized-query.aspx While I am no PHP guru I wonder if there isn’t a wat to do parameterized queries? Cause in the Windows/ODBC/C#/VB-NET world parameterized querys solves the problem without needing to change the input strings. Example http://www.programmingado.net/c-27/a-132/Esecute-parameterized-query.aspx

]]> By: Nessa http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/comment-page-1#comment-8645 Nessa Thu, 29 Nov 2007 02:11:13 +0000 http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/#comment-8645 Depending on your setup, you would give your filename a variable and add it to the value parameter. To include the file in all of your scripts, you can just use a simple include function. For instance if you name the script 'file.php', just add this line to all your scripts: include('/path/to/file.php'); Depending on your setup, you would give your filename a variable and add it to the value parameter. To include the file in all of your scripts, you can just use a simple include function. For instance if you name the script ‘file.php’, just add this line to all your scripts:

include(‘/path/to/file.php’);

]]> By: James http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/comment-page-1#comment-8626 James Wed, 28 Nov 2007 18:20:03 +0000 http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/#comment-8626 Hi Nessa, I came across your site and was wondering how I could use the Myqsl escape as an include file? Do you mean to create a php file with that code and place in my include folder. If so, how do I reference it in each php script to pull it out. If not, please let me know if I need to copy and paste that code manually in each php script. Thanks for your help! Hi Nessa,
I came across your site and was wondering how I could use the Myqsl escape
as an include file? Do you mean to create a php file with that code and
place in my include folder. If so, how do I reference it in each php script
to pull it out. If not, please let me know if I need to copy and paste that
code manually in each php script. Thanks for your help!

]]> By: Nessa http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/comment-page-1#comment-496 Nessa Thu, 31 May 2007 22:27:17 +0000 http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/#comment-496 1) i'm sorry to hear that 2) backticks are very common in MySQL syntax up to mysql 4.1, which is a vey vulnerable version of this attack =) 3) mysql_real_escape_string() does indeed help protect again mysql injections as I've used it in my own programs. However, I'm sure you can understand why I did not post the full technical aspects of mysql injections 4}) nice site 1) i’m sorry to hear that

2) backticks are very common in MySQL syntax up to mysql 4.1, which is a vey vulnerable version of this attack =)

3) mysql_real_escape_string() does indeed help protect again mysql injections as I’ve used it in my own programs. However, I’m sure you can understand why I did not post the full technical aspects of mysql injections

4}) nice site

]]> By: Ronald van den Heetk http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/comment-page-1#comment-458 Ronald van den Heetk Wed, 30 May 2007 01:04:51 +0000 http://www.v-nessa.net/2007/01/17/the-basic-mysql-injection-2/#comment-458 First of all the link to Justin's blog: Justin stole that cheat sheet of mine, I asked for credit but no reply, so you know. next, I see you use backticks which are only used for collumns in MySQL and are also not recommended. Futher, mysql_real_escape_string() doesn't protect against such SQL injections: where id = 1 AND(DELETE FROM TABLE) -- which get's executed nicely despite mysql_real_escape_string() :) yeah it's tough to protect against it. And Shhh! not many people know about this ;) First of all the link to Justin’s blog: Justin stole that cheat sheet of mine, I asked for credit but no reply, so you know.

next, I see you use backticks which are only used for collumns in MySQL and are also not recommended.

Futher, mysql_real_escape_string() doesn’t protect against such SQL injections:

where id = 1 AND(DELETE FROM TABLE) —

which get’s executed nicely despite mysql_real_escape_string() :) yeah it’s tough to protect against it. And Shhh! not many people know about this ;)

]]>