SQL Injection Detected

Discussion in 'Databases' started by anakyn, Jun 6, 2007.

  1. #1
    Hi,
    I have a php script (and sql database) which allow quest to create a user name password .... From few days when they try to create a user name receive this error:

    SQL Injection Detected. Make sure to ONLY use letters (a-Z) and numbers (0-9)!

    I don't find the problem, how I can solve this problem.
    Thank you very much.
    Regards.
     
    anakyn, Jun 6, 2007 IP
  2. Seiya

    Seiya Peon

    Messages:
    4,666
    Likes Received:
    404
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Your script must have a detection of some illegal characters and thus giving you that error.... you have to check the scripts list of illegal characters.... usually "<,/" are the ones you aren't allowed to use but who knows what other characters are setup with this script?
     
    Seiya, Jun 6, 2007 IP
  3. chemonbyl

    chemonbyl Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    okay so i have a register page for something.

    and it is giving me the exact same error

    SQL Injection Detected. Make sure to ONLY use letters (a-Z) and numbers (0-9)!

    i want a space but it does not allow anything, is there anyway to go around this. or make it think that something else is a space that will not be detected.
    i unno just thinking
     
    chemonbyl, Sep 1, 2009 IP
  4. dukeofism

    dukeofism Peon

    Messages:
    739
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #4
    PHP has a feature which wil cause it to "exit" a string that it thinks will cause errors in your database due to injection. You can this off through your php options. The feature you need to turn off is called magic_quotes-gpc and can be found in the php.ini file. *note* the magic quotes feature is only included in version of php before 6
     
    dukeofism, Sep 1, 2009 IP
  5. premiumscripts

    premiumscripts Peon

    Messages:
    1,062
    Likes Received:
    48
    Best Answers:
    0
    Trophy Points:
    0
    #5
    The error message comes from the script you're using, not from PHP. Check the source code for that error message and the surrounding code.
     
    premiumscripts, Sep 2, 2009 IP
  6. chemonbyl

    chemonbyl Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    okay so, coming from the other side of the equation

    if i wanted to SQL inject a database through a form that does not allow spaces or anything other than numbers and letters, is there anyway to get around it or still use the injection command.
     
    chemonbyl, Sep 2, 2009 IP
  7. premiumscripts

    premiumscripts Peon

    Messages:
    1,062
    Likes Received:
    48
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Err, why would you want to know that? Seems fishy to me.. Anyway, no, if all they allow is numbers and letters there's no way you'd be able to hack that.
     
    premiumscripts, Sep 2, 2009 IP