On Wed, Apr 8, 2009 at 12:05 PM, Michael A. Peters <mpet...@mac.com> wrote: > Andrew Ballard wrote: > >>> >> >> You don't need a disassembler; I already said what that string is >> intended to do. If it is allowed to run on Microsoft's SQL Server, the >> hex value is implicitly converted to the string "WAITFOR DELAY >> '00:00:10'", which is then executed. It doesn't require semi-colons, >> as SQL Server doesn't need them between statements. This particular >> command is relatively harmless by itself. Its value lies in the fact >> that if it causes the resulting page to take more than 10 seconds to >> load, the attacker knows that your page is wide open to SQL injection >> as well as knowing that he can execute anything he wants. If you're >> running MySQL, this won't work so you should be unaffected. Just make >> sure your code is written to prevent SQL injection and you should be >> fine. > > Would doing all SQL queries via pear mdb2 prepare() and execute() prevent > sql injection, or do other sql injection stepps need to take when using pear > mdb2? >
I'm not very familiar with the Pear libraries, but the approach is a good one. A good library will either pass the query off as a prepared statement with parameters to the database (if supported) or else will perform parameter substitution that should use mysql_real_escape_string() or similar functions to build a statement that should be safe to execute. The fact that you see these strings in the correct database field is a good sign, because they were correctly interpreted as string input and inserted rather than being interpreted as statements and executed. Just don't use this as a litmus test for your site's overall security. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
