-
Welcome to Smashboards, the world's largest Super Smash Brothers community! Over 250,000 Smash Bros. fans from around the world have come to discuss these great games in over 19 million posts!
You are currently viewing our boards as a visitor. Click here to sign up right now and start on your path in the Smash community!
-
Hello Mr. Buzz, how have you been?
You going to that Brawl til you fall tournament?
"Tyranitar is evolving"
Whos psychic now?!
Just out of curiousity, have you always had your profile picture that (Ganon and YL)?
I get a vibe that you've had it there for a long time.
Wut? I have private messaged for like 30 seconds XD
Im not a fan either lol.
Hm, 25 is a good age.
She's really good at making people sweat.
Do you like Halle Berry?
I like the speed in which you reply :D
Soooooo what's the buzz with you lately?
You should by Tarot cards. They're so cool when they're accurate. I have a deck :O
Also, very very very late congrats on your admin status lol
Thats also weird! A show called Stargate Atlantas is on...
Are you psychic?
That's so weird. Like yesterday my user title was "My Immortal" and now yours is "The Immortal".
Hm.
Not like that pic you be using now is much bigger.
Always and forever XD
You're not Undead Dragon Lord.
Point taken. I apologize for the immature bickering; I let my stubborn nature take hold when I shouldn't have.
/behaviorjohns
Would I get a red username for that? :V
The thread did serve a purpose, one that you simply choose not to tolerate.
I believe the decision to lock the thread was rushed, but whatever...I can't argue against the authority of a moderator.
I'll think of a "better" topic to discuss, I suppose.
Hi Buzz, my friend made a really nice group, care to join us? Its pure randomness and fun, I'm sure that you'd have a great time there. What do you say?
I'm sorry... I'll look at your thoughts instead.
Also... Which Open Source shooters? If they're WW-crud, I'd rather not. XD
But generally I'm open-minded for stuff.
Yesssss... it can see your sins.
Says the one playing Zelda (and possibly Sheik) ;P
Why being afraid of the symbol of the Sheikah? XD
I know, but I felt like pointing it out. :3
Hey Buzz. You fight like a cow! >:O
hahahahhahahhaha <3
Revenge is sweet, like delicious cole slaw.
hmmmm touche.
<3
I'm online at school
Do I win?
Word on the street says you're coming to WHOBO and claim that your gonna get first?
Keep talking K***y, keep talking.
Guess what Buzz?
There's lots of things that are "in general, bad to do" that might not necessarily be weaponizable in every case. It's highly implementation dependent.
Put your web app online and let me take a look at it like that!
Ah, I think I missed where you said that the function put quotes around the string. You'd have top get more fancy in that case. Like use comments, or escaped characters maybe.
You still need to strip out other special characters, though. Just replacing the quote character isn't enough. & % # ' ; are all dangerous, off the top of my head.
BTW: Why are you trying to do this by hand? Just about every language has built in sanitizing functions already. And they do then in a different (and better) way. Rather than trying to find and replace "bad characters" in the input string, you should be just escaping every character.
So if someone entered a username as
a' OR '1=1';--
then that exact string would get entered as their username into the database. No mangling of the input which restricts user input and causes usability problems. (Especially with password fields, where you WANT there to be special characters)
My example (below) never used a single quote. the attack string is just:
pwned; drop tables *;
That's all.
As always, it depends on the SQL implementation. (I assume you're using MySQL?) And the actual query you're making.
But if your query is something simple like...
Select * from IMPORTANT $string$
and my string is
pwned; drop tables *;
Your query becomes
Select * from IMPORTANT pwned; drop tables *;
Which will select... nothing. Then drop all your tables. It will treat everything after the semicolon as a new command. Though not all SQL implementations allow multiple commands on one line. But there are lots of little tricks like that.
Oh yea, there's still plenty that can go wrong. You have to watch out for lots of special characters. It depends on the implementation, but you can also get away with typing in the ascii codes for the characters. So I could typle ' (HTML for single quote) or %44 (escaped single quote).
Plus it's not just single quotes to watch out for. You have to sanitize all characters that can comment.
Most SQL dialects use two dashes for comments. -- You can get a SQL injection that way, too.
Also, the semicolon will allow two statements on one line. You can't allow semicolons. I could just enter the value:
Hi I'm Alt; drop tables *;
The problem is that you're trying to blacklist. But in doing that, you're almost always going to miss something. It's better to whitelist. Specify legal characters (like alphanumeric) and reject all others.
SQL Injection, eh? What do you want to know?
That's odd... I've never posted on your profile before....
What's up? :D
Cool, I'd rather be called Chocobo but I put in this name so I fail
Its not that I don't like my name but I want something that is more....well....me, you get what I'm saying?
Buzz, did you get Star Ocean the Last Hope?
omg im soo sorry. I looked on Elem's page and thought you VM'd me. Im soo sorry
Vry well, then, Buzz. You can call me Heartz or <3z :D -
Loading…
-
Loading…
-
Loading…