09-21-2010, 08:46 AM
|
|
|
Too lazy to set a custom title
Industry Role:
Join Date: May 2004
Location: West Coast, Canada.
Posts: 10,217
|
Quote:
Originally Posted by roly
A big thanks for everyones input its a huge help 
I've got a lot of sites using variations of this (very old) script, its not suported anymore and i don't have the time to find an alternative and switch to that. so i've just got to try and patch it up as best as possible. they were using something along the lines of this to hack the script:
Code:
page.php?id=-999999999+union+select+concat(login,0x3a,password),1,2,3,4,5+from+adminlogin/
so if i implement some of the recommendations above and also remove union, select, etc as well, hopefully i should be a bit safer. |
If you validate/sanatize the input variables you'll get rid of those types of instances. That's a perfect example of why I check that all integer values (especially id type values) are true integers before using them. |
|
|