|
|
Posted by Charlie King on 01/15/06 11:41
On Sun, 15 Jan 2006 09:00:58 +0100, in
<43ca00f8$0$1073$4fafbaef@reader2.news.tin.it> (alt.comp.lang.php)
"J2be" <info@nospamj2be.com> wrote:
>
> "Charlie King" <charlie@removethisitsaspamtrap.stopthatitssilly.com> wrote
> in message news:5ofis1h3k8qt3rhkd86srotmd0j96tdmnn@4ax.com...
> > On Sat, 14 Jan 2006 18:21:43 +0100, in
> > <43c932fe$0$1066$4fafbaef@reader2.news.tin.it> (alt.comp.lang.php)
> > "J2be" <info@nospamj2be.com> wrote:
> >
> >> in the features you can add
> >> - Several Sql Injections
> >
> > Not the most constructive of your criticisms - how would you suggest
> > to avoid SQL Injection attacks?
> >
>
> ehr ?!?!? ....
> Never heard about Sarcasm?!?
Nope. Never. What is it?
> And let me say that his Post seems to me normal spam even if it's a gpled
> script!
> It's quite useless to post several times posts about own scripts or the
> whole newsgroup
> will be submerged by tons of announcements of scripts releases.
Well that is fair enough, but the other side of the coin is that when,
a while back, I was trying to research SQL injection attacks on forums
and news groups, I got lots of 'bleh your script is vunerable' without
anyone making it clear why. Given the degree to which PHP relies on
its own community, I think that the 'why' is the most important bit.
> In this particular case the script have basilar errors and there's no need
> to explain
> how to avoid sql injection because there are tons of tutorials and
> there's only 1 thing to do to avoid them
> mysql_real_escape_string() or intval() (for integer values it's the best
> thing).
Agreed.
> addslashes() and stripslashes() are USELESS to avoid sql injections but
> there are still tons of persons that are using them without knowing what's
> going on!!
Not entirely agreed - you need to know about addslashes() and
stripslashes() (and how to use the latter recursively) to get around
the fact that so many hosts' php installations have the horrible
gpc_magic_quotes set to 'on'. And why have they? Because they
think it'll help avoid SQL injection attacks. To be fair, addslashes
*does* sanitise ", ', \ and NULL.
> Limiting the size of strings doesn't give any kind of benefit
> and 8 should be by default(imho) the MINIMUM number of characters
> to be used for a Password.
> Logins with few characters can be gueessed with simple brute force attacks.
> There's no need to truncate strings if you write decent code with a little
> bit of brain
> ..... just a mysql_real_escape_string() for the strings that you put in the
> sql queries.
Limiting the length of input strings to what is needed, limits the
scope for adding injection code to a string. Many of the tutorials to
which you allude earlier agree on this.
As to what length to limit passwords to, specifically, that is another
matter. I was just giving an example.
> Nothing to say about error logging.
>
> ... But .. hey you've not explained a thing and you are yelling about
> constructive things?!?!?
Yes I have. I'm sorry if you got upset by my suggesting that your
criticism was unconstructive, but please try not to get all riled by
it.
Nice collection of punctuation, there, by the way.
> You've suggested random things with errors and they are not going to help
> the persons
I have suggested a number of places in which people who want to use
PHP and MySQL together might look for information about SQL Injection
attacks.
> to understand to NOT SPAM and use a search engine to understand what we are
> talking about!
If you wanted the OP to understand about spam, then you ought to have
said 'please do not spam this newsgroup'. That would have been a
clearer message, don't you think?
> In the end I suppose that the person that have posted the initial message
> also don't care about
> the newsgroup and don't give a fuck to what we say!
Possibly not, but I am more concerned about those who come here
searching for help on SQL Injection.
> Next time please waste less time into writing crap and paste a link related
> to Sql Injections
> if you are really worried about that thing!
As well as giving some useful information, I might also have posted a
link, true, but I didn't have one to hand at the time.
Still, more than you did, eh?
> NOTE: Please don't continue this thread as a flame because there's nothing
> more to say!!!!!!
NOTE: Please don't continue to flame in the thread to which I added
useful information!!!!!111!!!!!!ONEONEONE.
By the way, there's lots to say about about SQL Injection and it's
something about which PHP and SQL developers ought to know.
For those who are interested, here's a few links (not all PHP and/or
MySQL, but they do give useful information about the theory of the
problem). For those who aren't, "move along please, nothing to see
here."
http://php.benscom.com/manual/en/security.database.sql-injection.php
http://securephp.damonkohler.com/index.php/SQL_Injection
http://www.vbmysql.com/articles/sqlinjection.html
http://en.wikipedia.org/wiki/SQL_injection
http://www.securiteam.com/securityreviews/5DP0N1P76E.html
--
Charlie
Navigation:
[Reply to this message]
|