cjm1504 0 Report post Posted October 19, 2006 How do you find SQL-Injection vulnerable scripts? Do you just try entering ' or %2527 in every edit box you can find, or do you parse open source code to find vulnerable scripts?If there are any tutorials on this(finding the vulnerabilities, maybe even some which describe how to avoid prevention measures) i would appreciate if you could post a link or two. Share this post Link to post Share on other sites
jlhaslip 4 Report post Posted October 19, 2006 I'm thinking this topic will only result in warnings and bans to those members that post information about using SQL injections to 'hack' or damage sites. And I really don't want that to happen. Instead of taking this 'destructive' approach, I would like to suggest that the members focus on preventing SQL Injections. Sites are never bomb-proof, but security on the web is a continuum and those sites we consider 'secure' are at one end of the continuum, by using correct and pro-active coding. Surely the members here know some of the better techniques to prevent SQL Injections and other security breaches. Let's hear them. Here is a couple of articles as a starting point: https://en.wikipedia.org/wiki/Cross_site_scripting http://alistapart.com/article/secureyourcode http://alistapart.com/article/secureyourcode2 Share this post Link to post Share on other sites
rvalkass 5 Report post Posted October 19, 2006 Login pages are usually the most vulnerable area. A hacker will go there first becuase if they succeed then they can virtually do anything they want. Open source scripts, despite what people say, are actually very secure simply due to the number of people using them and reporting any flaws they find. If you write a script yourself, make sure to include as many checks as possible. For example, make sure a form has been submitted from your site and nowhere else, and make sure that fields contain alpha numeric characters. The safest way is, before you do anything with the submitted information, strip it of any ', ", <, > or their ASCII code equivalents. This will stop 99.9% of problems, but you have to advise people not to use them in their usernames or passwords. Share this post Link to post Share on other sites
Florisjuh 0 Report post Posted October 19, 2006 Login pages are usually the most vulnerable area. A hacker will go there first becuase if they succeed then they can virtually do anything they want. Open source scripts, despite what people say, are actually very secure simply due to the number of people using them and reporting any flaws they find. If you write a script yourself, make sure to include as many checks as possible. For example, make sure a form has been submitted from your site and nowhere else, and make sure that fields contain alpha numeric characters. The safest way is, before you do anything with the submitted information, strip it of any ', ", <, > or their ASCII code equivalents. This will stop 99.9% of problems, but you have to advise people not to use them in their usernames or passwords.I guess if you can take a look into the source code of a script it will be much easier to find bugs which can be exploited, but the positives are also there and meight overweight the disadvantages. Besides open source coding rocks! Share this post Link to post Share on other sites
dhaval 0 Report post Posted October 20, 2006 I think for every input u take in, if u just convert it to html special chars...........you'll be pretty safe right? htmlspecialchars($string, ENT_QUOTES );That is what I'm doing.........can that be exploited in some way? Share this post Link to post Share on other sites
