MySQL Injection.
Moderator: General Moderators
-
mikeashfield
- Forum Contributor
- Posts: 159
- Joined: Sat Oct 22, 2011 10:50 am
MySQL Injection.
I've only just heard about this today. How can I see if my PHP code is injectable? I know now about using mysql_real_escape_string so will get all that sorted.
Re: MySQL Injection.
Better still, use prepared statements.mikeashfield wrote:I know now about using mysql_real_escape_string so will get all that sorted.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: MySQL Injection.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: MySQL Injection.
Or, you know, see if you can find a forum about PHP/security and try posting your code there 
If you've read a basic tutorial on sql injection, you can also try my article (link in the sig, but the HTML version is broken, so use the plaintext one: http://www.webappsec.org/projects/articles/091007.txt)
There's a link to a zip file inside with all the demo code in the article which you can tweak and use as a playground.
If you've read a basic tutorial on sql injection, you can also try my article (link in the sig, but the HTML version is broken, so use the plaintext one: http://www.webappsec.org/projects/articles/091007.txt)
There's a link to a zip file inside with all the demo code in the article which you can tweak and use as a playground.
Re: MySQL Injection.
Also there are some tools for sql injection testing using metasploit framework. But you should really hire Mordred to test it out properly.
Re: MySQL Injection.
You can check whether your form accepts sql keywords, special characters like " ' " etc. Also some times the injection is done using encoded string which might be a sql query. Also Google on types of SQL injections
Re: MySQL Injection.
Understand the problem - then use a framework.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: MySQL Injection.
It's probably easier to use mysql_real_escape_string().uday8486 wrote:You can check whether your form accepts sql keywords, special characters like " ' " etc.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering