Google [google.com] ;)

inject6ion is fascinating stuff

>> What are they going to try to input?

the basic premise is to inject queries and or commands. Error messages give database information, sometimes that knowledge can be used to learn more about the db structure from the outside such as fields, versions, tablenames.

commenting syntax can be fed into text fields to force scripts to execute alternate or extra queries

never show unhandled db errors, test all user entered data

fairly standard rules

use mysql_real_escape_string($input) to get rid of most of your worries

'cept I use Oracle
and then there is postgres, interbase, mssql, etc

understanding how it works and knowing what to look for will mean you can make a input test function that would work regardless of what db you are using.

not that your advice is bad in any way dmmh, no offense intended, you are spot on it will take care of most of your worries, but I just want to make sure those reading this thread understand that the mysql_real_escape_string was created with an understanding of injection and safe chars.

Even though I do use that function for mysql, it isn't necessarily there in other function sets for other dbs.

very true ofcourse, but PHP and MySQL are known to go together a lot :)

Normally the ' character is a nasty character in any variable inserted into a SQL query, and often used to break the intended query in order to inject something malicious.

Very basic protection against SQL injection attacks (or at least make it much more difficult to achieve) can be gained by removing unwanted ' characters, and of course thoroughly testing any foreign data.

Thanks for all the replies. I didn't know if there was a standard set of commands to test for. I think I'm doing an ok job of validating input. It sure is a pain. Why can't people play nice?

hehe

there will always be bored fingers with malicious intent and there will always be smarter ones than mine.

We take reasonable means and hope we are quick enough if the time comes. ;)

I'll second jatar_k!

It's almost impossible to outsmart every attack, you just have to make it as fiendishly difficult as possible...

Also, when you've put every bit of protection you can think of into your site, try to start putting 'harm minimisation' into place. ie. Try to imagine that a hacker can access protected bits on your site and then think what you can do to reduce the amount of damage they can do while they are attacking (flood control on forms, random image codes, shorter session expiry times). It's easier to delete 100 articles posted by some spam bot, than 100,000.

we spend a lot of time making things difficult

if someone can get in through that we wouldn't have been able to keep them out anyway kinda stuff

I make it very difficult, I think the key to security is understanding that you aren't smarter than everyone and they really can get in. When you keep that in mind it changes the way you do things.

I build tripwires all over the place from both a programmer's and a sysadmin's standpoint. If something goes sawry, at some point something will call me, literally, send me a text message on my phone and other phones as well. At some point the software or monitoring systems are taught to understand they need help and they need me and my compatriot.

I have been through a few hack attempts, the logs streaming by , the command line excitement. It never really looks like it does in the movies but it is twice as real. I don't expect to beat everyone but if I am called to the console I at least expect a challenge. ;)

A little off topic, but jatar_k can I ask what sort of tests you do internally once your past your initial defences? (just wondering whether your using some sort of token identification, or challenge-response thingy or something I haven't even heard of yet...)

well, the best I can offer is anything and everything

as many lines of defence as we can find, we get into proprietary and all that here and more NDA's than we can shake a stick at, sry

<added>I always look at it as software management via pattern recognition, that's what is beyond the regular old stuff

constant analysis, pattern recognition at every level of the software. Understand how it might be used for good or ill and you start to see what the pattern of an attack would be.

No worries mate, understood. :)

back on topic and I found an excellent article on cross site exploits if anyone wanted to do some reading:

[cgisecurity.com...]

Thanks nice finding
A wile ago I spent a part time year going back to an U for the purpose of taking a Web Architecture course
Part of the course was on security
Actually we had an outstanding guy teaching the course, publishing articles in mainstream magazines and that was called by the White House for consulting about Code Red (you certainly remember it from a few years ago)

Anyways to make a long story short what strikes me is that to learn about Security one is learning about Hacking...!