Learn sql injection

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
    #1

    Learn sql injection

    HI GUYS
    any body know any thing about sql injection, i really like to learn about it,
    guys lets all talk about this topic

    i got a pdf file about it
    http://packetstorm.linuxsecurity.com/papers/bypass/sql-inject.pdf
    http://myfacepals.com
    MYFACEPALS SOCIAL NETWORKsigpic
    Tags: None
    #2
    hmmmmmm

    wy bring this up in the 1st place?

    Comment

      #3
      some one is hacking me

      the reason why i bring up this topic cos some one is hacking into my database, and i want to hack back into his
      http://myfacepals.com
      MYFACEPALS SOCIAL NETWORKsigpic

      Comment

        #4
        if someone is hacking on your site via sql injection dont you think they would cover there own site against it?

        ..... kinda pointless ?

        Comment

          #5
          Originally posted by makvanpor2000 View Post
          the reason why i bring up this topic cos some one is hacking into my database, and i want to hack back into his
          Code:
          RewriteCond %{QUERY_STRING} [^a-z](declare|char|set|cast|convert|delete|drop|exec|insert|meta|script|select|truncate|update)[^a-z] [NC] 
RewriteRule (.*) - [F]
          add this into ur .htaccess
          sigpic

          Comment

            #6
            don't hack back since you are a new coder, just chillout. Hacking is bad just learn preventive measures

            Comment

              #7
              Prevention from Sql Injection Attack in PHP

              To avoid the sql injection attack, please follow the following simple mechanisms in PHP

              1) Always restrict the length of the fields of form such as don’t allow more than 20 characters in the fields like username and password with the “maxlength” property available in the html form.

              2) Always validate for the proper input like weather the value is valid email or not, is numeric or not , valid date or not etc.

              3) Finally, Always use mysql_real_escape_string() function before sending the variable to the SQL query, it ad. For example
              note you must be connected to the database for using this function
              Code:
              $username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);

              if a intruder inject ‘ OR 1 in the user name and password field then the value of the $username and $password will become \’ OR 1 which is not going to harm us anymore.



              this might also help some one
              .htaccess

              Code:
              
# Block out any script trying to set a mosConfig value through the URL

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

# Block out any script trying to base64_encode crap to send via URL

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]

# Block out any script that includes a <script> tag in URL

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

# Block out any script trying to set a PHP GLOBALS variable via URL

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

# Block out any script trying to modify a _REQUEST variable via URL

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

# Send all blocked request to homepage with 403 Forbidden error!

RewriteRule ^(.*)$ index.php [F,L]
              Last edited by GiLL; 22.11.09, 22:47.
              left wap stuff

              Comment

                #8
                Originally posted by GiLL View Post
                Prevention from Sql Injection Attack in PHP

                Code:
                $username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
                Code:
                
# Block out any script trying to set a mosConfig value through the URL

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

# Block out any script trying to base64_encode crap to send via URL

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]

# Block out any script that includes a <script> tag in URL

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

# Block out any script trying to set a PHP GLOBALS variable via URL

RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]

# Block out any script trying to modify a _REQUEST variable via URL

RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})

# Send all blocked request to homepage with 403 Forbidden error!

RewriteRule ^(.*)$ index.php [F,L]
                where do i need to put that htaccess?
                i mean the .htaccess file
                Did I help you?
                You can help me too
                Your donations will help me finance my studies.

                Comment

                  #9
                  Originally posted by kei_ki7 View Post
                  where do i need to put that htaccess?
                  i mean the .htaccess file
                  in the folder where ur script is.
                  she is beautifull than php.and i love her more than php.
                  sigpic

                  Comment

                    #10
                    Hi thanks for the help. It was really helpful. But if u have time, u can also tutor on how to validate email field apart from using mysql_real_escape_string(); function

                    Comment

                      #11
                      Originally posted by GiLL View Post
                      Prevention from Sql Injection Attack in PHP

                      To avoid the sql injection attack, please follow the following simple mechanisms in PHP

                      1) Always restrict the length of the fields of form such as don’t allow more than 20 characters in the fields like username and password with the “maxlength” property available in the html form.

                      2) Always validate for the proper input like weather the value is valid email or not, is numeric or not , valid date or not etc.

                      3) Finally, Always use mysql_real_escape_string() function before sending the variable to the SQL query, it ad. For example
                      note you must be connected to the database for using this function
                      Code:
                      $username=mysql_real_escape_string($_POST['username']);
$password=mysql_real_escape_string($_POST['password']);
                      PHP Code:
                      @$username mysql_real_escape_string(strip_tags(htmlspecialchars($_POST['username'])));
                      @                      $password mysql_real_escape_string(strip_tags(htmlspecialchars($_POST['password']))); 
                      this should be pretty much better
                      Last edited by metulj; 27.11.09, 05:58.
                      It's better to keep your mouth shut and give the impression that you're stupid, than to open it and remove all doubt.
                      ⓣⓗⓔ ⓠⓤⓘⓔⓣⓔⓡ ⓨⓞⓤ ⓑⓔ©ⓞⓜⓔ, ⓣⓗⓔ ⓜⓞⓡⓔ ⓨⓞⓤ ⓐⓡⓔ ⓐⓑⓛⓔ ⓣⓞ ⓗⓔⓐⓡ !
                      ιη тнєσяу, тнє ρяα¢тι¢є ιѕ α яєѕυℓт σƒ тнє тнєσяу, вυт ιη ρяα¢тι¢є ιѕ тнє σρρσѕιтє.
                      キノgんイノ刀g 4 ア乇ムc乇 ノ丂 レノズ乇 キucズノ刀g 4 √ノ尺gノ刀ノイリ!

                      Comment

                        #12
                        Originally posted by paramound View Post
                        don't hack back since you are a new coder, just chillout. Hacking is bad just learn preventive measures
                        u better dont deviate from the topic cause am not a new bie here as u can see am a senior member here,
                        http://myfacepals.com
                        MYFACEPALS SOCIAL NETWORKsigpic

                        Comment

                          #13
                          Whts sql_injection, its a reason 4 hack our site? Wot we can do for security of our site, last day sm1 hack mah site, and may be he used mah pasword also, hw is it posible even i was change my pasworld last evening? Am very confused about it, can any one tell me how to that hacker enter mah site nd how he get mah pasword?

                          Comment

                            #14
                            Lmao, sql injection simply means: i dnt need ur password to **** with ur application lmao

                            Comment

                              #15
                              Than hw we can protact our site from hacking? ..and whr i can put this code...mysql_real_escape_string(strip_tags....i wana to protact my site only to sql injection...hw i can do it...plz help me...plz

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X