Oct 20

Everyone's seen the following in almost every SQL injection tutorial on the planet:

UNION ALL SELECT 0,0,0,0,0 FROM users

This is the standard method of SQL injection: slide in a UNION statement to join two SELECT statements together and thus get the data you're looking for. This is fun, but it often produces ugly and hard to interpret results. Read the rest of this entry »

  • Digg
  • StumbleUpon
  • del.icio.us
  • Reddit
Posted in PHP, Vulnerabilities | No Comments »
Oct 14

I was browsing around the PHP online manual (the single best resource for learning about PHP) and I came up with several things that I didn't know about that were pretty interesting.

  1. Alternate syntax for control structures (if, while, etc) 
    <?php $a = "b";
if($a == "a"): ?>
a = a
<?php elseif($a == "b"): ?>
a = b
<?php else: ?>
a = ?
<?php endif; ?>
  2. Changing modified and accessed time of a file 
    touch("fake.txt", time()-1*60*60*24*365, time()-1*60*60*24*365);
  3. Highlighting a file for PHP syntax with one line 
    highlight_file('file.php');

Actually, I already knew about all of these, I just wanted to share :P

  • Digg
  • StumbleUpon
  • del.icio.us
  • Reddit
Posted in PHP | 2 Comments »
Oct 10

First off, I want to stress that the idea of an XSS fuzzer in GreaseMonkey is not my own unique idea - I saw WhiteAcid's XSS Assistant a few months ago and played with it a little bit with some success. However, his is very different from mine, mainly in that it is far more detailed and pretty than mine is. Well, I liked the concept of this XSS fuzzer, but I wanted to change how it worked. Read the rest of this entry »

  • Digg
  • StumbleUpon
  • del.icio.us
  • Reddit
Posted in Javascript, Vulnerabilities | 3 Comments »
Oct 3

Does anyone have any clue as to why on one day your blog can be completely spam-free, and then the next day and every day after that you have dozens of spam comments in your queue every time you come online? If anyone has any suggestions, excluding captchas (because they're not worth the effort for humans to comment on my blog), for preventing spam, I'm all ears.

In unrelated news, apparently Cialis has been nominated as the new drug that no one wants but will be pushed upon every man, woman and child on the Internet by spammers. This is a blow to the Viagra campaign which until recently held a monopoly in online spam.

  • Digg
  • StumbleUpon
  • del.icio.us
  • Reddit
Posted in News | 7 Comments »
Sep 29

There's something I have recently noticed among PHP "security experts" (people who have had their software criticized at some point or other for poor security, and Googled "php security"). For some reason, some PHP developers have this idea that mysql_escape_string or mysql_real_escape_string is the answer to all of their problems. Wrong, wrong, wrong, wrong, wrong, wrong, WRONG. Read the rest of this entry »

  • Digg
  • StumbleUpon
  • del.icio.us
  • Reddit
Posted in PHP, Security | No Comments »

« Previous Entries Next Entries »