[nycphp-talk] Not-so-subtle attack on PHP
Kenneth Downs
ken at secdat.com
Sat Sep 29 09:28:01 EDT 2007
Elliotte Harold wrote:
> Kenneth Downs wrote:
>>
>>> Many things are a waste of the cracker's time, but they do them
>>> anyway. So counting on the result not being worth the time of
>>> cracker is wishful thinking. :-)
>>
>
> Even if one has full cell level security in the DB, I expect there are
> still denial of service injection attacks that may not access any
> cells at all. I'll leave it to the SQL experts to devise the nastiest,
> exponential time problems they can express in SQL. Brownie points for
> doing it in pure SQL without any vendor extensions. :-)
>
Even with db security you have to escape the strings to save things like
the name of our favorite publisher.
So the database has this row in it:
Name: Captian Cracker
Email:you at wont.ever.known
Company: O'Reilly
comments: I will kill your system';drop database social_networking
And you say, 'hmmm, that's an interesting comment.'
--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com www.andromeda-project.org
631-689-7200 Fax: 631-689-0527
cell: 631-379-0010
More information about the talk
mailing list