|
Web Application Security
Google code search Oct 05 2006 06:08AM Stephen de Vries (stephen corsaire com) (3 replies) Magic Quotes Oct 06 2006 11:00AM DokFLeed (dokfleed dokfleed net) (2 replies) |
|
|
Privacy Statement |
>if there is noway around Magic Quotes, then why is every developer
>against it ?
>Dok
You can often get around it, depending upon the app and the query.
Here is one that works...or at least did work at the time. It's pretty old:
http://packetstormsecurity.nl/0311-exploits/phpBB206.txt
What if your query uses a numeric query value? Then there is
no quote needed to perform an injection. For example:
SELECT * from db.table where column = 1100
What if I change 1100 to: -9999 union select * from whatever.whatever
(No quotes needed here...)
Just give your team an example of how prepared statements work
and it won't take more than an extra minute to copy it for each new DB
query. Then you don't have to worry about it.
Steve
==================================================
Steve Slater
President
Security Compliance Corporation
120 Village Square, Suite 76
Orinda, CA 94563
(866) 657-4550
http://www.securitycompliancecorp.com
slater (at) securitycompliancecorp (dot) com [email concealed]
------------------------------------------------------------------------
-
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download a Free Trial of AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
------------------------------------------------------------------------
--
[ reply ]