SQL INJECTION

[Totaled_Eclipse]

ive heard of ppl using MYSQL INJECTIONS to hack ppl chats. is there anyway to keep that from happening?

[serkon]

in sql server you can use ' or ''=' each field of username and pass

[korsaan]

You can use hard password
And when you log to your file manager and see your files
You couldn't find that path /phpMyAdmin
So its absolutoly for any body to hack on your SQL
And they can hack on your SQL if you are uploading aprogramme concloude a patch
You should take care of the files that you are uploading to you host
With my best wishes:



KoRsAaN:D

[Mrlinux]

You can read more about them on: http://www.exploitx.com

[Max]

You should also escape you querries.

[Lixas]

so, with escape it is safer to do mysql queries?? i'm a ltl confuzed about that :-/

[Max]

Stupid example to understand the need to escape

Suppose you have a table with the fields : id, user and is_admin
You write a simple query to change the user :
'UPDATE table SET user=\''.$user.'\' WHERE id='.$id
But if you don't espace the $user variable, a cracker could use the value : foo ' ,is_admin='true
And your querry will set its is_admin flag to true.

[Lixas]

so, using parameters in url adress, or somewhere else cracker can crack my db ??
if yes, than mhmmm, bad, so i will have to rewrite all my home made CMS (content managenment system) script. But, better more job on security side, then cracked page

[UNDERCOVER]

hey Totaled_Eclipse bad news for u them chat scripts u have nanyo fixed them so the can be hacked and in less u reeidt them u cant stop it its crunk thats hacking them he worked on the files so just better off geting new ones

[toychoq]

what
how should we avoid it?