LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-04-2007, 02:33 AM   #1
inaki
Member
 
Registered: Mar 2005
Posts: 94

Rep: Reputation: 15
SQL Injection


Hi all, i've try SQL injection which is input is '--. But the question is, How do we determine that SQL injection is success. It is because the response is "HTTP/1.0 500 Internal Server Error".

TQ
 
Old 06-04-2007, 03:05 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
well it totally depends on the form of attack... could be all sorts of responses. and of course we do not advocate doing any of this, and will not actively help you learn these sorts of techniques.
 
Old 06-04-2007, 04:27 AM   #3
inaki
Member
 
Registered: Mar 2005
Posts: 94

Original Poster
Rep: Reputation: 15
If i'm not learned and somebody doesn't want to guide me, how can i understand and defending my web system.
 
Old 06-04-2007, 04:41 AM   #4
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
The MySQL manual has a chapter called "General Security Guidelines" with a checklist of things to avoid.
 
Old 06-04-2007, 06:15 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
Quote:
Originally Posted by inaki
If i'm not learned and somebody doesn't want to guide me, how can i understand and defending my web system.
i gave you your answer... it could be anything. sql injection is a way to make an sql database do something the original connection wasn't confgured to do. there's hundreds of different things this could lead to... system corruptiong, information disclosure etc... there's no one way to know if it worked without knowing what the actual injection exploit is.
 
Old 06-04-2007, 06:22 AM   #6
inaki
Member
 
Registered: Mar 2005
Posts: 94

Original Poster
Rep: Reputation: 15
Thank you for an advise. i am sorry if anybody got hurts on my sentence.
 
Old 06-04-2007, 06:42 AM   #7
msantinho
Member
 
Registered: Oct 2005
Location: Lisbon
Distribution: Slackware
Posts: 56

Rep: Reputation: 17
Possible answers are:
1. always escape strings you use to fetch records from database
2. trust users, don't trust on what they type

For example:
what could happen if you have a page wich displays information based on an ID?

Code:
$sql = "SELECT * FROM table WHERE idrecord = $id_passed_from_post_or_get;";
Now, imagine some user tries to access this page with:
Code:
http://www.example.com/index.php?id=unexpected_sql_statement_here
With that sql statement, _anything_ can happen to your server.

Oh, by the way, for your "HTTP/1.0 500 Internal Server Error" check the server logs. Probably you will see an SQL error there.

Miguel

Last edited by msantinho; 06-04-2007 at 06:44 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: MySQL addresses SQL injection vulnerability LXer Syndicated Linux News 0 06-02-2006 07:54 AM
LXer: PostgreSQL addresses SQL injection vulnerabilities LXer Syndicated Linux News 0 05-24-2006 09:21 PM
LXer: Sql Injection Vulnerability LXer Syndicated Linux News 0 01-24-2006 03:16 PM
sql injection inaki Linux - Security 8 12-22-2005 10:41 AM
Is SQL Injection traceable and is it a serious offence? novkhan Linux - Security 2 05-21-2004 10:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration