TalkPHP - View Single Post - How to Login to Any Account on an Insecure Site

Village Idiot · 12-14-2008, 09:46 PM

First off, this thread is over a year old. It belongs in a new thread, please read the dates before posting.

Second, that technique will not work and it strips functionality.

To inject anything, you just have to separate it by a removed character, this:

Code:

-'-

Will return

Code:

--

Thus opening it to attack.

It also takes out characters that could be used for legit purposes. Escaping them is how it should be done and mysql_real_escape_string() does this just fine (I see no real use for sprintf, it seems like adding another layer of processes with no advantage).

12-14-2008, 09:46 PM	#18 (permalink)
Village Idiot Wizard Join Date: Sep 2007 Posts: 1,299 Thanks: 17	First off, this thread is over a year old. It belongs in a new thread, please read the dates before posting. Second, that technique will not work and it strips functionality. To inject anything, you just have to separate it by a removed character, this: Code: -'- Will return Code: -- Thus opening it to attack. It also takes out characters that could be used for legit purposes. Escaping them is how it should be done and mysql_real_escape_string() does this just fine (I see no real use for sprintf, it seems like adding another layer of processes with no advantage). __________________