Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Magic Quotes

from [Steve Slater] Network Security [Permanent Link]
Subject: Re: Magic Quotes
Date: Tue, 10 Oct 2006 16:11:30 -0700 
At 04:00 AM 10/06/06, DokFLeed wrote:

if there is noway around Magic Quotes, then why is every developer against it ?
Dok 

You can often get around it, depending upon the app and the query.
Here is one that works...or at least did work at the time. It's pretty old:

http://packetstormsecurity.nl/0311-exploits/phpBB206.txt

What if your query uses a numeric query value? Then there is
no quote needed to perform an injection. For example:

SELECT * from db.table where column = 1100

What if I change 1100 to: -9999 union select * from whatever.whatever

(No quotes needed here...)

Just give your team an example of how prepared statements work
and it won't take more than an extra minute to copy it for each new DB
query. Then you don't have to worry about it.

Steve



==================================================

Steve Slater
President

Security Compliance Corporation
120 Village Square, Suite 76
Orinda, CA 94563
(866) 657-4550

http://www.securitycompliancecorp.com
slater@securitycompliancecorp.com 



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
--------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Magic Quotes, Matt Fisher
Next by Date:  Re: Magic Quotes, DokFLeed
Previous by Thread:  RE: Magic Quotes, Matt Fisher
Next by Thread:  Re: Magic Quotes, DokFLeed
Indexes:  [Date] [Thread] [Top] [All Lists]