NYCPHP Meetup

[nycphp-talk] Not-so-subtle attack on PHP

Kenneth Downs ken at secdat.com
Sat Sep 29 09:28:01 EDT 2007


Elliotte Harold wrote:
> Kenneth Downs wrote:
>>
>>> Many things are a waste of the cracker's time, but they do them 
>>> anyway.  So counting on the result not being worth the time of 
>>> cracker is wishful thinking. :-)
>>
>
> Even if one has full cell level security in the DB, I expect there are 
> still denial of service injection attacks that  may not access any 
> cells at all. I'll leave it to the SQL experts to devise the nastiest, 
> exponential time problems they can express in SQL. Brownie points for 
> doing it in pure SQL without any vendor extensions. :-)
>
Even with db security you have to escape the strings to save things like 
the name of our favorite publisher.

So the database has this row in it:

Name: Captian Cracker
Email:you at wont.ever.known
Company: O'Reilly
comments:  I will kill your system';drop database social_networking

And you say, 'hmmm, that's an interesting comment.'


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010




More information about the talk mailing list