Security Resources
Moderator: General Moderators
- Buddha443556
- Forum Regular
- Posts: 873
- Joined: Fri Mar 19, 2004 1:51 pm
Php Endangers - Remote Code Execution: http://milw0rm.com/papers/176
There are 10 types of people in this world, those who understand binary and those who don't
The Unexpected SQL Injection
(When Escaping Is Not Enough)
by yours trully
(When Escaping Is Not Enough)
by yours trully
http://www.webappsec.org/projects/articles/091007.shtmlAbstract: We will look at several scenarios under which SQL injection may occur, even though mysql_real_escape_string() has been used. There are two major steps at writing SQL injection resistant code: correct validation and escaping of input and proper use of the SQL syntax. Failure to comply with any of them may lead to compromise. Many of the specific issues are already known, but no single document mentions them all.
Although the examples are built on PHP/MySQL, the same principles apply to ASP/MSSQL and other combinations of languages and databases.
Last edited by Mordred on Mon Sep 17, 2007 3:32 pm, edited 1 time in total.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
For those that are looking for mordred's article... http://www.webappsec.org/projects/articles/091007.shtml
Oh, drats, I forgot the link?! I should have my forum license revokedEverah wrote:For those that are looking for mordred's article... http://www.webappsec.org/projects/articles/091007.shtml

- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Security Resources
One of the major source for information about PHP Security is the mailing lists at php.net, people normally face issues and report them and then community members gives their views and it sometime become very interesting ... 

Re: Security Resources
Thanks 

Re: Security Resources
This is an excellent source for PHP security. I'm impressed.
Re: Security Resources
there are so many master here that i can learn more,thank you!
-
- Forum Newbie
- Posts: 10
- Joined: Sat Jul 16, 2011 12:13 am
Re: Security Resources
Nice article
Re: Security Resources
hi every body
how can i abstract url in php? for example, i want abstarct "www.belabela.com/about.php" to "www.belabela.com/about" or some things like this, it must change some thing in .httpaccess file?? or it is other thing?
the next question is for code source, how can prevent to save or show source code?
thx
how can i abstract url in php? for example, i want abstarct "www.belabela.com/about.php" to "www.belabela.com/about" or some things like this, it must change some thing in .httpaccess file?? or it is other thing?
the next question is for code source, how can prevent to save or show source code?
thx
Re: Security Resources
A detailed and humorous account on how to (and how not to) do escaping in PHP, by our own Maugrim (aka Pádraic Brady)
A Hitchhiker’s Guide to Cross-Site Scripting (XSS) in PHP (Part 1): How Not To Use Htmlspecialchars() For Output Escaping
A Hitchhiker’s Guide to Cross-Site Scripting (XSS) in PHP (Part 1): How Not To Use Htmlspecialchars() For Output Escaping
- Christopher
- Site Administrator
- Posts: 13592
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Security Resources
Hey Mordred, perhaps you could give us a little clearer (and less humorous) tutorial, or point us to one of yours, on how to correctly use htmlspecialchars() for output escaping and what other code is needed to ensure it is done right. For example, do you recommended using mb_convert_encoding() to convert everything to UTF8?
(#10850)