Archive for September, 2008

Download and Watch Slacker Uprising For FREE

Here is the trailer to, Michael Moore’s Slacker Uprising, a movie that is available online for free.  Let me know your thoughts after you watch it.  I will watch tonight and leave comments below.

 

SQL Injection

As a programmer you should always be aware of possible SQL injection attacks.  Make sure that you scrub all of your data before using it, especially in a db query.

Do not just blindly accept that the parameters you receive are going to be good. 

For example, if you are going to show a post from a blog, your url might look like http://www.cyborgcomputing.com/showPost.php?ID=5.  That would show post #5, right?

What if it was http://www.cyborgcomputing.com/showPost.php?ID=5+union+select+1,2,3,4,5,6+–

You would have a MAJOR problem if your query in PHP is
$result = mysql_query(”SELECT * FROM post WHERE ID=” . $_REQUEST['ID']);

Try it out on your own and see (The links above are not real).  If you are expecting an ID, you should rewrite your PHP to.
$ID = preg_match(’/^\d*$/’, $_REQUEST['ID']) ? $_REQUEST['ID'] : 1;

Now your ID has to be a series of digits, otherwise you return post #1.

 
 
This site hosted by bowlingball.com - Find the best deals on Bowling Balls, Bowling Bags, Bowling Shoes, and Bowling Accessories.