PEAK XOOPS - Big Umbrella Anti-SQL-Injection(1) in englishin japanese

Archive | RSS |
PHP : Big Umbrella Anti-SQL-Injection(1)
Poster : GIJOE on 2009-01-07 04:37:49 (17870 reads)

in englishin japanese
There are a lot of XOOPS modules or PHP applications with SQL Injection still.

Protector can protect some patterns of SQL Injections.
It is just "some" instead of "all".

That's because Protector cannot distinguish attacks and fair requests just by REQUEST layer.

A word of "UNION" will be posted as "UNI-ON".

Such modification in REQUEST layer must be non-sense.

Then, Protector should judge them by both REQUEST layer and DB layer.

(a) doubtful requests are found
(b) ob_start()
(c) compare requests and outputs

SQL Injection:
(1) doubtful requests are found
(2) override DB layer
(3) compare requests and SQLs

It is not easy to implement (3) because Protector have to parse SQLs.
However, (2) will be the most problem for XOOPS.

Because there are no way to override DB layer.
I will suggest DB layer modification can be overridden for all core teams in the next entry.

This idea is based on JM2. (four years ago!)
He is the real hero for XOOPS


Related articles
Printer friendly page Send this story to a friend

Comments list

Username or e-mail:


Remember Me

Lost Password?

Register now!