Frequent 'php sql-injection' Questions - IT Security Stack Exchange

14

votes

4answers

3k views

How did anonymous use UTF-16 ASCII to fool PHP escaping?

A few months ago, anonymous took down a child pornography site using SQL-injection. I read in this article that anonymous claimed that "the server was using hardened PHP with escaping," but they were ...

php sql-injection

asked Feb 2 '12 at 20:16

Nate Glenn
17815

11

votes

2answers

2k views

Multibyte character exploits - PHP/MySQL

Could someone please point me to a link with some information on multibyte character exploits for MySQL? A friend brought them to my attention, but I've not been able to find much information on the ...

asked Dec 20 '11 at 6:08

Matthew S

6

votes

1answer

585 views

Do I have to make any more check if I use prepared statements for integers?

I am currently using PDO with prepared statements for some integer values (see PDO::PARAM_INT). That means I call PDO like this: $stmt = $conn->prepare("SELECT `lastMove` FROM ".GAMES_TABLE. ...

php sql-injection

asked Nov 14 '11 at 5:53

moose
27939

1

vote

1answer

287 views

Is this enough to tackle script / malicious code insertion in GET, POST requests?

I've got legacy PHP code which attempts to prevent script / SQL injection with the following: if (!empty($_POST)) { reset($_POST); while (list($k,$v)=each($_POST)) { ...

php xss sql-injection scripting

asked Feb 10 '11 at 10:02

Steve
21415

Tagged Questions

How did anonymous use UTF-16 ASCII to fool PHP escaping?

Multibyte character exploits - PHP/MySQL

Do I have to make any more check if I use prepared statements for integers?

Is this enough to tackle script / malicious code insertion in GET, POST requests?

Related Tags