Collaborate Disseminate
Recently when I was looking through some code which looks more or less like this:
$query = “call someProcedure(?,?,{$unsafeString})”;
Then there is some code where the list of arguments is prepared and after that, there i… Continue reading Is it possible to breach prepared statement and stored procedures with unsafe sql query string
Recently when I was looking through some code which looks more or less like this:
$query = “call someProcedure(?,?,{$unsafeString})”;
Then there is some code where the list of arguments is prepared and after that, there i… Continue reading Is it possible to breach prepared statement and stored procedures with unsafe sql query string
The PASSWORD function in MySQL can be translated to the code in php:
function mysql_password($string){
$pass = strtoupper(
sha1(
sha1($string, true)
)
);
$pass = ‘*’ . … Continue reading The security of the PASSWORD function in MySQL
The PASSWORD function in MySQL can be translated to the code in php:
function mysql_password($string){
$pass = strtoupper(
sha1(
sha1($string, true)
)
);
$pass = ‘*’ . … Continue reading The security of the PASSWORD function in MySQL
Using SQLMap in this way:
sqlmap -u “xxxxx” –dbms=MySql –dbs –user-agent=”Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0″ -D xxxxx -T “#__xxxxx” –columns
I am obtaining this warning:
[23:39:07… Continue reading SQLMap Strange Dump Result
I’m trying to make a connection to an SQL server in php. Is it safe to just put the database credentials in plaintext in the .php file? Can a user edit the php code in a a .php page and change the way an input is handled?
… Continue reading Store SQL database credentials in a webserver
I am running a ProFTPD Server on Ubuntu 12.04 and do the user authentication with MySQL. I am looking for a secure way to hash passwords.
There a lot of built-in hash functions in MySQL, but a lot of them are deprecated, su… Continue reading Is it safe to use the ENCRYPT() function in MySQL to hash passwords?
Someone is trying to SQLi my domain using sqlmap. I’m getting a lot of errors from mysql.
My server access log shows:
– – HTTP/1.1″ 200 10559 “-” “sqlmap/1.0.4.0#dev (http://sqlmap.org)”
I have tried block… Continue reading someone trying to SQLi server using sqlmap
I’m playing with SQL injection (for educational purpose only blah blah) and I got stuck on this weird (to me) web application behaviour:
I successfully injected the following payload
page.php?id=-1 union all select 1,2,3 –… Continue reading SQL injection weird web app behaviour
I have a table in a database (Mysql) which contains a field which stores sql strings on it. I mean complete queries as text (always select statements). To modify one of that queries is a “pain in the ass” because is needed fi… Continue reading How bad is allow edit a database field containing an sql from a form?