We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

any way to sql injection in oxwall software | Forum

Topic location: Forum home » Support » General Questions
Ajith Jojo
Ajith Jojo May 23 '13
any way to sql injection in oxwall software

i ask this question to know how to protect my site from sql injection ....

dave Leader
dave May 23 '13

Oxwall uses several methods to protect from sql injection, including but not limited to using escape functions and other sanitation.  However it is open source and you can improve on those methods if you choose to. 

 

If you need more specifics, maybe a team member can reply as well.  

The Forum post is edited by dave May 23 '13
suresh kumar
suresh kumar May 23 '13
There was a blind sqli found on my site when tested through localhost
dave Leader
dave May 23 '13

If a team member replies you need to send them that specific information by PM so if there is a hole they can plug it...

 

there are ways to protect against blind sql thru htaccess,  google is your friend.   Also one simple thing you can do for any types of these is to make sure your error reporting is off but that your error logging is on.

 

Also make sure error messages are not generic, or very very specific, i would even go so far as to return a code rather than an actual true or false value.   One of my scripts returns a code rather than a value and then i refer to a cheat sheet to translate the coded message.

 

Also remember to have a really good process in place to watch your error log for suspicious activity and ip deny those ip's..   

 

The objective is to protect yourself against the majority NOT the minority.  That means that all anyone can do is protect your stuff against most people, where as you make it hard for them and they go someplace else.   The minority, the few in the world that are the top percentile of their trade, if they want your stuff they will get it and not much you can do about that short of removing yourself from the web.

 

 

The Forum post is edited by dave May 23 '13
Alia Team
Alia May 27 '13
Ajith, more info can be found if you search the forum: http://www.oxwall.org/forum/search?q=%20sql%20injection

Suresh, +1 to Dave's reply. If you have faced this kind of issue, we will be glad to check. But we need more detailed info.
dave Leader
dave May 27 '13

One thing i forgot to say (and i meant to) was that i would recommend that you uncheck the box under dashboard and profile and also i think its group settings in the installed plugins, that let users configure those pages.  I will not say why exactly because i dont want to advertise the reason for unwelcomed eyes.  

 

But i will say there was some talk a while back and i  have not seen any thing since then, so i would uncheck those boxes.

 

I think Aliia knows what i am speaking of..

The Forum post is edited by dave May 27 '13
suresh kumar
suresh kumar Jun 16 '13
Sorry for the late reply i was having exams .

Ill send a PM and mail with all the  details soon ..
bilalsonija
bilalsonija Jan 20
Well done! I thank you your blog post to this matter. It has been insightful. my blog: how to make a girl fall in love tải app 789club