Bullet-Proof SQL Injection Defense

Share any hilarious IRC quotes, pictures, jokes, and more here!
Forum rules
- NO nudity/pornography. NO racism. NO offensive material.
- Posting these may result in warnings and/or possible ban!
- Please abide by the rules: viewtopic.php?f=126&t=4355

Bullet-Proof SQL Injection Defense

Post by Goatboy on Tue Mar 29, 2011 2:59 pm
([msg=55713]see Bullet-Proof SQL Injection Defense[/msg])

Found this on HackerNews:

http://www.cadw.wales.gov.uk/

View the source, and prepare to be amazed by the best SQL Injection defense EVAR.

Not sure what's worse. The fact that this is in a production environment, or that I am not at all surprised it is in a production environment.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2753
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Bullet-Proof SQL Injection Defense

Post by OnlyHuman on Tue Mar 29, 2011 3:15 pm
([msg=55714]see Re: Bullet-Proof SQL Injection Defense[/msg])

Well you said it yourself. It's bullet proof. No way around that. And they left select unfiltered, which is good... for... admins. You know, because they may need to select something, from another non-filtered source, such as information_schema. But, that's just taking a guess at the database they're using, based solely on the things they did choose to filter.

EDIT

WTF? I swear that wasn't filtered a second ago. Eyes are playing tricks on me. Just have to resort to more nefarious methods of circumventing that security, such as disabling JavaScript or something.
OnlyHuman
Poster
Poster
 
Posts: 192
Joined: Sat Aug 22, 2009 1:37 am
Blog: View Blog (0)



Return to LULZ

Who is online

Users browsing this forum: No registered users and 0 guests