I have a page the uses a form to pass a postcode to another page and I
want to test it against an SQL Injection. What would be a safe (i.e NO
DELETING of data ) statement to try and how would I format this to try
in the form.
I have limited the field to 10 chars so I know i would have to test it
with a larger field because a hacker could just rewrite the form and
use a lerger field for the attempted attack.
Many thanks in advance
VoodooJai 22 2640
Voodoo Jai wrote:
I have a page the uses a form to pass a postcode to another page and I
want to test it against an SQL Injection. What would be a safe (i.e NO
DELETING of data ) statement to try and how would I format this to try
in the form.
I have limited the field to 10 chars so I know i would have to test it
with a larger field because a hacker could just rewrite the form and
use a lerger field for the attempted attack.
Many thanks in advance
VoodooJai
You need to test against the same things a hacker does - i.e. DELETE.
And you should NEVER be testing on a live system anyway - always test on
a development system, after backing up your databases.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
On Oct 11, 1:27*pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Voodoo Jai wrote:
I have a page the uses a form to pass a postcode to another page and I
want to test it against an SQL Injection. What would be a safe (i.e NO
DELETING of data ) statement to try and how would I format this to try
in the form.
I have limited the field to 10 chars so I know i would have to test it
with a larger field because a hacker could just rewrite the form and
use a lerger field for the attempted attack.
Many thanks in advance
VoodooJai
You need to test against the same things a hacker does - i.e. DELETE.
And you should NEVER be testing on a live system anyway - always test on
a development system, after backing up your databases.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attgl obal.net
=============== ===
I have backed up my db but dont know the syntax to use in the form,
could someone show me an example.
On Oct 11, 9:06*am, Voodoo Jai <voodoo...@btin ternet.comwrote :
On Oct 11, 1:27*pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Voodoo Jai wrote:
I have a page the uses a form to pass a postcode to another page and I
want to test it against an SQL Injection. What would be a safe (i.e NO
DELETING of data ) statement to try and how would I format this to try
in the form.
I have limited the field to 10 chars so I know i would have to test it
with a larger field because a hacker could just rewrite the form and
use a lerger field for the attempted attack.
Many thanks in advance
VoodooJai
You need to test against the same things a hacker does - i.e. DELETE.
And you should NEVER be testing on a live system anyway - always test on
a development system, after backing up your databases.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attgl obal.net
=============== ===
I have backed up my db but dont know the syntax to use in the form,
could someone show me an example.- Hide quoted text -
- Show quoted text -
I've always wanted to be the one that says google is your friend. Use
your subject title and google it. 1st hit contains tools for testing
it ( http://www.zubrag.com/tools/sql-injection-test.php), with about
640,000 other hits also.
Bill H
Voodoo Jai wrote:
I have a page the uses a form to pass a postcode to another page and I
want to test it against an SQL Injection. What would be a safe (i.e NO
DELETING of data ) statement to try and how would I format this to try
in the form.
There are automated tools for testing against SQL injection attacks, and
what they usually do is to perform a query that pauses for 15 seconds or so
before continuing.
Therefore, if the software detects that fetching a page took 15 seconds more
than the average, the injection was successful.
Cheers,
--
----------------------------------
Iván Sánchez Ortega -ivan-algarroba-sanchezortega-punto-es-
Buying Microsoft anymore is like saying: Please, treat me like a two year
old, stifle my creativity and learning, keep me in the dark and feed me
crap, and whatever you do, don't let me question your 'authority'.
>I have a page the uses a form to pass a postcode to another page and I
>want to test it against an SQL Injection. What would be a safe (i.e NO DELETING of data ) statement to try and how would I format this to try in the form.
As a quick and non-destructive test, if putting a single quote or
double quote in a field provokes a SQL error (you need to be logging
SQL errors or output any such errors on the page. Reporting SQL
errors to the web user (hacker) is *NOT* something you should leave
in production code.), you've potentially got trouble. (Plus, Mr.
O'Brian won't like it when he can't buy from your store). A backslash
at the end of a field is another thing to test. So is a semicolon.
If, instead of a SQL error, you get an error from the input-checking
portion of your code, (e.g. "Quantity must be a number"), you're
catching at least some of the bad input.
>I have limited the field to 10 chars so I know i would have to test it with a larger field because a hacker could just rewrite the form and use a lerger field for the attempted attack.
Voodoo Jai wrote:
I have this piece of code that was created in conjunction with
Dreamweaver and myself but I'm now a little lost as to what is what.
Could someone enlighten me a little.
Do you have any idea what this code does? Or is it just something you
let DreamWeaver create for you? From the looks of it, it's the latter.
You should NEVER trust another package like this to generate secure code
for you. You need to ALWAYS understand what it is doing.
In this case there is way too much extraneous code.
You need to learn PHP and forget about code generators like DreamWeaver.
They're okay for rapid prototyping, but not for a production system,
IMHO.
And if you know PHP, you can generate the correct code faster than you
can in DreamWeaver - and be assured it's safe, because you understand
what's going on.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
On 11 Oct, 10:38, Voodoo Jai <voodoo...@btin ternet.comwrote :
I have a page the uses a form to pass a postcode to another page and I
want to test it against an SQL Injection. What would be a safe (i.e NO
DELETING of data ) statement to try and how would I format this to try
in the form.
I have limited the field to 10 chars so I know i would have to test it
with a larger field because a hacker could just rewrite the form and
use a lerger field for the attempted attack.
Many thanks in advance
VoodooJai
Nice you asked, most people do not bother - they just put magic code
on production servers and hope that no one tries to inject toxic
queries into their system.
That said, if you're unsure of how to protect your system, I'd suggest
you contract it to a professional to sort out.
Good luck!
--
Evans http://www.jroller.com/evans
"Evans" <on*****@gmail. comwrote...
: That said, if you're unsure of how to protect your system, I'd suggest
: you contract it to a professional to sort out.
: Good luck!
Your reply amounts to...
I don't have an answer. Get help from someone else. Good luck.
--
Jim Carlock
You Have More Than Five Senses http://www.associatedcontent.com/art...ve_senses.html
Jim Carlock wrote:
"Evans" <on*****@gmail. comwrote...
: That said, if you're unsure of how to protect your system, I'd suggest
: you contract it to a professional to sort out.
: Good luck!
Your reply amounts to...
I don't have an answer. Get help from someone else. Good luck.
Not at all. His answer is right on the money. SQL injection is a
complicated subject - and way longer than can be handled in a few
newsgroup messages.
We can provide some *guidance* - but not the *understanding* needed to
protect a system.
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== === This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Reply Via Newsgroup |
last post by:
Folks,
I am using Apache 1.3.x with PHP 4.3.x and MySQL v4.
Short question:
Before I put my web form available on the internet, how can I test it
from mis-use in such that special characters are ignored? I have tried
entering data such as `/bin/date > /tmp/1234` and this does not create a
temporary file (which is what I would expect, meaning that my form is safe).
|
by: Bã§TãRÐ |
last post by:
I have been working on this particular project for a little over 2 weeks now. This product contains between 700-900 stored procedures to handle just about all you can imagine within the product. I
just personally rewrote/reformatted close to 150 of them myself. Nothing too fancy, mostly a lot of formatting. We have a little down time between Q/A and fixing any bugs they find so I decided to
test the security of the site with Cross-Site...
|
by: stirrell |
last post by:
Hello,
One problem that I had been having is stopping email injections on
contact forms. I did some research, read up on it and felt like I had
created a working solution. I hadn't gotten any suspicious bouncebacks
in quite some time and got many custom alerts I had set up for
notifying me of injection attempts. However, just the other day, I got
a bounceback from an AOL address which leads me to believe that an
injection attempt was...
|
by: sudeerao |
last post by:
Please let me know how do we effectively and quickly test a php code ?
|
by: |
last post by:
There are assorted "SQL Injection vulnerability assessment tools" out there.
They scan your site and send your report. They also take your money.
We don't have the money so I was wondering if I could replicate the tool's
behavior myself. I am guessing that they work by attempting a
non-destructive injection attack against your DB and evaluating the success
or failure of that test.
I am curious if a) I'm correct about this, and b) if...
| |
by: Jeigh |
last post by:
Quite a while back now I had a file uploaded to my site overwriting the index, which boasted of this hackers amazing skills in defacing my site. Never did figure out how they did it, however I found my website listed on this site:
<link removed> (Note thats the link to some sort of hacker site, the link may not be safe I don't know so just letting you know).
Anyway, the site is in another language but I noticed it said Somthing: SQL...
|
by: Keith G Hicks |
last post by:
I have a site that is made up of sevearl aspx pages. It was recently
attacked by sql injection. I downloaded the tool described here:
http://support.microsoft.com/kb/954476 but can't seem to run it correctly.
All the examples are for asp pages, not aspx pages. I tried to find a
similar tool for aspx with no luck. When I run the tool on one of my aspx
pages I get errors, not sql injection problems.
Here's an example from the readme.html...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
| |
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |