sql injection

baldrick posted this at 18:58 — 19th July 2005.

Joined: Apr 2005

I was working on a login script for the admin page of my guestbook and asked some people that i knew to see if they could hack into it. To my surprise they maneged to hack into it in less than half an hour, this got me looking at my code in a new way suddenly i was seeing massive holes in my secrity. So im trying to think of new ways to fill these holes here is one of the ways i came up with.

I dont know if it's been done before or even if it will work but here goes. What if you took harmful characters like ; and - and changed them into harmless ones like ¬ and ^ before inserting them into the database and then on another page when you need it select the data the change it back before printing it.

timjpriebe posted this at 12:04 — 20th July 2005.

He has: 2,667 posts

Joined: Dec 2004

I know that MySQL has encode and decode functions. Not sure how helpful that would be to you.

JeevesBond posted this at 12:53 — 20th July 2005.

He has: 3,956 posts

Joined: Jun 2002

Seems like a simple problem, are you using PHP/MySQL or something different?

If so, are you using addslashes/stripslashes or the MySQL proprietory mysql_escape_string function? Provide us with a little more detail about exactly what you're doing, how you're doing it and what technologies you're using and we'll be able to help

a Padded Cell our articles site!

baldrick posted this at 13:35 — 20th July 2005.

He has: 388 posts

Joined: Apr 2005

o no i fiquerd it out i just used md5. thanks anyway.

sogua posted this at 02:06 — 7th August 2005.

They have: 10 posts

Joined: Aug 2005

this is an interesting question. do a search in google for sql injection and you can get alot of solution for that. as mention earlier mysql_escape_string might help to eliminate this problem

MamakCorner.com - Your Online Freebies Guide ( Free hosting, free advertising, free url submission, free stat counter, etc ...)