On Wed, Apr 8, 2009 at 12:05 PM, Michael A. Peters <mpet...@mac.com> wrote:
> Andrew Ballard wrote:
>
>>>
>>
>> You don't need a disassembler; I already said what that string is
>> intended to do. If it is allowed to run on Microsoft's SQL Server, the
>> hex value is implicitly converted to the string "WAITFOR DELAY
>> '00:00:10'", which is then executed. It doesn't require semi-colons,
>> as SQL Server doesn't need them between statements. This particular
>> command is relatively harmless by itself. Its value lies in the fact
>> that if it causes the resulting page to take more than 10 seconds to
>> load, the attacker knows that your page is wide open to SQL injection
>> as well as knowing that he can execute anything he wants. If you're
>> running MySQL, this won't work so you should be unaffected. Just make
>> sure your code is written to prevent SQL injection and you should be
>> fine.
>
> Would doing all SQL queries via pear mdb2 prepare() and execute() prevent
> sql injection, or do other sql injection stepps need to take when using pear
> mdb2?
>

I'm not very familiar with the Pear libraries, but the approach is a
good one. A good library will either pass the query off as a prepared
statement with parameters to the database (if supported) or else will
perform parameter substitution that should use
mysql_real_escape_string() or similar functions to build a statement
that should be safe to execute.

The fact that you see these strings in the correct database field is a
good sign, because they were correctly interpreted as string input and
inserted rather than being interpreted as statements and executed.
Just don't use this as a litmus test for your site's overall security.

Andrew

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to