Could you check out this website? Is it unsafe? Possible to use SQL injection on it??? Please answer… I don’t know how many people will actually open this. Don’t post any tools for SQL Injection, or tutorials. Just tell me how you would do this. No long-winded explanations. Just give me the answer.
The site is:http://www.inhumangames.com/Login
I think it’s vulnerable, it gives all the red lights.
It uses POST, and the two fields there are called “trashp” and “trashplayer”.
Don’t worry-I’m doing this just to help these guys, I’m sitting in the guy’s office right now. But I don’t have enough time to do a whole SQL injection process… my tools (I use Absinthe) doesn’t work becuase this PC doesn’t have .NET Framework
Hope anyone even sees/understands this…
And if the site can’t be fixed by regular mthods, please tell me how to…
I saw someone write code like this:
$sql = “select Password from user where EmailAddress=’” . $_REQUEST['EmailAddress'] . “‘”;
mysql_query($sql);
… etc …
When I pointed out that this code is vulnerable to SQL Injection, the coder said “prove it!”… Well, I went and tried it on the test website but it appears that PHP has some sort of builtin protection… The characters get automatically escaped.. Where is this documented?
Thanks
Heya,
Ok, my uncle has recently build a text based game using PHP and he wants to make sure his login is secure from SQL injection, so basically what im asking here is for somebody to give me a link to a tutorial on how to do SQL injection on a PHP login form.
Thanks for any help
hi, im a newbie in the concept of sql injection ..how can I prevent this kind of issue? all the tutorials in the net seem to be very hard to understand in my level.
what should I include in the codes? I have error traps like wrong user input and stuff..
what should I prevent?
I need some help THANKS!
I have little knowledge about sql injection.. all i know is that the hacker can type the query in the input boxes…so my plan is to trap the input that has INSERT, DELETE, SELECT (and other potential queries) on it..and other input that has semicolon and more than one apostrophe…
is my plan ok? or it seems ridiculous?
Im using Sql Server 2005 and C# 1.1. I do realize about SqlCommand and Paramters to eliminate Sql Injection but if i were forced to create a dynamic query and were unable to use Parameters, to avoid sql injection is it ONLY necessary to replace all instances of single quote with 2x single quotes from incoming user data?
Thank you
is there a way to escalate sql Privileges via sql injection
how can i access my t-mobile account thru SQL Injection attack? i’ve only heard it was possible. i don’t even know how to go about it.. is there a program i need or something.. my phone was stolen.. i dont want to close my account because of the early term. fee. and my online account password was changed. how do i do this?
Does anyone know if a hacker can attack my site with SQL injection if when he types in a query like a’ or ‘a’ = ‘a and my login form will say invalid characters in username. Is there a way for a hacker to bypass this error?
Hello friends, I am making a chat application but I am in a dilemma. Normally in a chat, people can speak of anything using just about any character in the keyboard or any word including words like DELETE * FROM —— etc etc opening way for SQL Injection.
So I was thinking that a good idea is to encode everything that I am getting from user and only then put it in my database and decode it into normal words while I am taking it out. Maybe say using ASCII encoding itself. Like DELETE can be encoded into 686976698469. This way everything that goes into the database is safe.
But I was thinking that if the solution to SQL Injection attacks is so simple then why is it often discussed as a major problem. Am I missing a point here. Please reply