Programming Forums
User Name Password Register
 

RSS Feed
FORUM INDEX | TODAY'S POSTS | UNANSWERED THREADS | ADVANCED SEARCH

Reply
 
Thread Tools Display Modes
Old Nov 7th, 2006, 12:36 PM   #1
ktsirig
Programmer
 
Join Date: Oct 2005
Posts: 54
Rep Power: 3 ktsirig is on a distinguished road
PHP & Mysql injection in phplist
Hello all,
I want to secure a page which uses the script of "phplist". Basically this script stores username, name, surname, email etc of users in order for the company to send newsletters to their clients.
Except from stripping slashes,backslashes etc or special characters, are there any other ways to prevent the data stored in the db from somenone that wants to "lay their hands" on them?

Thank you!
ktsirig is offline   Reply With Quote
Old Nov 7th, 2006, 12:52 PM   #2
Jimbo
Battle Programmer
 
Jimbo's Avatar
 
Join Date: Feb 2006
Location: Bellevue, WA, USA
Posts: 751
Rep Power: 3 Jimbo is on a distinguished road
You should probably use mysql_real_escape_string() and that should mostly cover you from user input.
__________________
<insert disclaimer here>
<insert shameless plug for Visual Studio here>
Jimbo is offline   Reply With Quote
Old Nov 7th, 2006, 2:35 PM   #3
kruptof
Professional Programmer
 
kruptof's Avatar
 
Join Date: May 2006
Location: UK - London
Posts: 329
Rep Power: 3 kruptof is on a distinguished road
i think there alot of ways to do this...........you could check if they person has actually come from the page that you wanted them to come from....also you could check if(get_magic_quotes_gpc()) is set and if yes then i think you should use strip slashes, then use mysql_real_escape_string, just try to make the perpetrators life a bit harder.
__________________
Quote:
When I was young it seemed that life was so wonderful,a miracle, oh it was beautiful, magical.
Now watch what you say or they'll be calling you a radical,a liberal, oh fanatical, criminal. Oh won't you sign up your name,we'd like to feel you're acceptable, respectable, oh presentable, a vegetable
kruptof is offline   Reply With Quote
Old Nov 10th, 2006, 2:06 AM   #4
jsilver608
Newbie
 
Join Date: Oct 2006
Posts: 20
Rep Power: 0 jsilver608 is on a distinguished road
You may want to use someting like the ADO mysql framework, which allows prepared statements (these can also be more optimized in some situations).
__________________
High Performance PHP
http://www.whenpenguinsattack.com
jsilver608 is offline   Reply With Quote
Old Nov 10th, 2006, 7:36 AM   #5
codetaino
Programmer
 
codetaino's Avatar
 
Join Date: Jan 2005
Location: Bayamon, Puerto Rico
Posts: 71
Rep Power: 4 codetaino is on a distinguished road
This page gives hints of security issues with php and sql... hope it helps

http://www.sitepoint.com/article/php-security-blunders
__________________
"God bless u all" :)
codetaino is offline   Reply With Quote
Reply

Bookmarks

« Previous Thread in Forum | Next Thread in Forum »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
MySQL with python? snipertomcat Python 2 Apr 13th, 2006 1:34 AM
Process injection jayme C++ 3 Jan 28th, 2006 6:05 AM
Tutorial - Using MySQL in C# Darkhack C# 12 Jan 17th, 2006 9:28 AM
Simple Perl / MySQL Problem.. pls help! domquemo Perl 0 Jan 11th, 2006 4:08 AM
DLL Injection Help!!! Encryption C++ 0 Apr 3rd, 2005 7:43 AM


Contact Us - DaniWeb IT Discussion Community - Privacy Statement - Top


DaniWeb IT Discussion Community
All times are GMT -5. The time now is 7:34 AM.

Powered by vBulletin® Version 3.7.0, Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Copyright ©2007 DaniWeb® LLC