Hackproof How To

Oracle SQL Injection Cheat Sheet

Feb 3rd

Posted by Tokwear in Hackproof How To

http://pentestmonkey.net/blog/oracle-sql-injection-cheat-sheet/ Version SELECT banner FROM v$version WHERE banner LIKE ‘Oracle%’; SELECT banner FROM v$version WHERE banner LIKE ‘TNS%’; SELECT version FROM v$instance; Comments SELECT 1 FROM dual — comment – NB: SELECT statements must have a FROM clause in Oracle so we have to use the dummy table name ‘dual’ when we’re not actually selecting

Protecting PHP and MySQL from SQL Injection

Oct 30th

Posted by Tokwear in Hackproof How To

1) NEGATIVE INPUT FILTERS The simplest way to prevent this sort of injection is to search the SQL string for semi-colons and double dashes, and remove them before passing the statement to the database. That’s easy in an adequate application language, for example in PHP: $protectedqry = str_replace( “–”, “”, str_replace( “;”, “”, $qry ));

, ,