| Home | Register | Members | Search | Windows Vista Tips | File Database | Links |
 |
| Thread Tools | Display Modes |
|
Guest
Posts: n/a
|
|
|
|
||
|
|
| |
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
|
|
|
|
||
|
Guest
Posts: n/a
|
This link I posted before might be the most useful then:
http://unixwiz.net/techtips/sql-injection.html because it details the kind of text that hackers use for inject attacks. -- Phil Wilson The Definitive Guide to Windows Installer http://www.apress.com/book/view/1590592972 "JVRudnick" <> wrote in message news  6CDDA73-CE8B-4645-8EC7-...> Hmm... > first of all, thanks Phil for those links...and I'm busy reading > same...but > so far, this has posed a new question on sql injections....which is as > follows. > > this site has an Admin area, with a login page for same using a > name/password combination, that ONLY I have (least far as I know) > > IMHO, it was here that the hacker gained access, via the sql injection. so > as a "temporary" fix, I've taken down off the server the whole Admin > area -- > and will upload first via FTP before logging in myownself, to do any Admin > tasks (thank god there are so very few, like 2 a month). > > that will I monitor in the near future to see what happens... > > but that also poses this question. as this is the ONLY place that a hacker > could gain access to change in the dbase ALL of the forum titles > themselves, > this "proves" that this "must" be the way they got in...do I have that > right? > > in other words, I can think of no other way for a hacker to gain access to > the Admin area to make that kind of an overall change to about 9 forum > titles > (to read "this site is hacked" ....sigh).... > > can you comment on that? am I correct here? > > -- and now back to try to learn how to prevent an sql injection with a > login > asp page....sigh... > > :-) > > Jim > > > > > "Wilson, Phil" wrote: > >> This might help, not sure if you've looked at them. >> >> http://www.unixwiz.net/techtips/sql-injection.html >> >> http://www.tizag.com/mysqlTutorial/m...-injection.php >> >> http://msdn.microsoft.com/en-us/library/ms161953.aspx >> >> And there are some example on YouTube. >> >> The basic mitigation is to validate all input and not allow certain >> characters like ; and quotes in anything that an outside user can enter. >> >> -- >> Phil Wilson >> The Definitive Guide to Windows Installer >> http://www.apress.com/book/view/1590592972 >> >> >> "JVRudnick" <> wrote in message >> news:2A6344CC-D658-41BB-909F-... >> > Hello all... >> > sorry if this is the 'wrong' forum....pls point me to the right one if >> > this >> > is out of line here.... >> > >> > my small highschool community site has an SQL injection vulnerablilty. >> > it >> > is >> > written in VBScript and ASP...and uses an mySQL dbase too. the sitew >> > was >> > hacked by someone using this vulnerability and I'm trying to learn how >> > to >> > fix >> > same... >> > >> > I found Scrawlr from HP, and a testing of same has found that one page >> > only >> > - showmessage.asp has a Parameter of "bid" and Info says it's >> > "confirmed >> > verbose". >> > >> > My problem is that even after quite a google for same, I can not find >> > out >> > what that means -- nor how to fix it either. >> > >> > Can someone point me to the way to learn what to do? >> > >> > Jim >> |
|
|
|
|
|||
|
|
| |
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Updates were unable to be successfully installed | wjousts | Windows Update | 6 | 01-30-2010 04:01 PM |
| Re: Disable Windows Firewall | Lanwench [MVP - Exchange] | Windows Small Business Server | 7 | 01-06-2010 11:45 PM |
| "Some updates could not be installed" | Antnee20x | Windows Update | 7 | 12-18-2009 07:01 PM |
| Running sql server 2000 and/or sql server 2005 on sbs 2003 | Mark | Windows Small Business Server | 1 | 11-27-2009 10:00 AM |
| Security Update for SQL Server 2005 Service Pack 2 (KB970895) | Ken G | Windows Update | 0 | 11-27-2009 07:18 AM |
Linear Mode
